PBR with ACE in bridge mode

I have one ACE configured in bridge mode.
for proxy users : they have the VIP as proxy so the traffice from the client with destination the VIP
but there are some users without proxy so we used the Policy Base Routing and it is working and can see the connections on the ACE
but with destination IP of the websites so the traffice is not comming back as show below
BC-LB1/BlueCoat# sho conn | include 10.1.50.10
1782765 1 in TCP 210 10.1.50.10:52052 67.195.160.76:80 SYNSEEN
1355728 1 out TCP 210 67.195.160.76:80 10.1.50.10:52052 INIT
BC-LB1/BlueCoat#
in the PBR , we used the VIP as next hop address.
please advice what is the problem?
thanks in advance

Good afternoon,
As you mentioned, it seems the return traffic is not coming back through the ACE. You should review your PBR configuration to ensure that also the return traffic is matched and sent to the ACE
Regards
Daniel

Similar Messages

ACE in bridge mode with FWSM as gateway

our design
FWSM--vlan 7--ACE-vlan 8---servers with default gateway as FWSM
originally there were no plans of servers looking to load balance traffic when they wanted to communicate each other. now there is a need this
since ACE is in bridge mode, there are no ip address to VLAN configured on it and cant do source NAT
what we want servers in serverfarm A can contact a single ip which can be load balanced and traffic to be sent to serverfarm B. both serverfarms reside in vlan 8 and ace is in bridge. with VLAN not having IP how can we get this working. we were looking to create a policy on ACE with an ip address in vlan 8 and then do a source NAT to send the traffic to serverfarm 7.
with FWSM as the default gateway, by enabling permit intra traffic , it doesnt work because the command routes the traffic, dont think will send the traffic back to the same vlan
e.g static (inside,outside) 10.7.0.1 10.7.8.13 and allow intra traffic.
so when a machine 10.7.8.11 pings 10.7.0.1 it goes to the FWSM but fwsm doesnt look for 10.7.8.13
with ACE in bridge and FWSM doing above how to get around. can something be done on ACE in bridge mode with source NAT
Thanks

First, why don't you have an ip in your ACE vlan ?
Then, for traffic hitting a vip, we can do source nating even in bridge mode.
But if the vip is not an ip in vlan 8, your server will anyway send the traffic to the FWSM and ACE will first bridge the request.
The FWSM should then send the request back to ACE (not sure how this can be done).
So the request from the server will actually hit the vip on vlan 7 (not vlan 8).
So your policy-map with client nat must be on vlan 7.
Another option would be to configure a static route on the server to point the vip to the ACE vlan 8 ip address (which you should have configured).
In this case, the policy-map will have to be in vlan 8 with client-nat.
Gilles.

How to Configure Transparent caching on Cat 6500 with CSM in bridge mode?

hi.
I found How to Configure Transparent caching on Cat 6500 with CSM in routed mode.
But,
I need help How to Configure Transparent caching on Cat 6500 with CSM in bridge mode?
Please let me know sample configuration.
thanks.

Hi,
I wrote the document you mentioned and I also wrote the one below.
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00802c1201.shtml
The one with the SSLM is a bridge mode config.
If you replace the SSLM with a cache [or a farm of caches] it would be a similar config.
Replace the SSL21 vserver with an HTTP vserver [most important is to keep the vlan configured on each vserver]
Regards,
Gilles.

ACE problem - bridge mode - behind a firewall

Hello
We are having problems with one of you ACE context, this implementation was done by a supplier and I am trying to troubleshoot it.
The clients and the servers are on different subnets, there is a Nokia firewall in the middle. The firewalls are setup on a cluster.
Connecting to port 7072 is taking at least 30 seconds. If I move the server into the VLAN in front of the ACE, the connection is instant. So it does indicate a problem on the ACE.
The client IP is .99.11.
The VIP is .100.62 and the server node is .100.12.
Running the capture command I can see the following behavior:
1. The client initiates the connection to the ACE Vip
2. At the same time it looks like a second connection is initiated from the client to the server node
Please see attachment.
Is this a normal situation where the connection is duplicated?
Does this interface setup look correct?
Is the bridge mode the correct setup in this scenario?
interface vlan 10
bridge-group 2
no normalization
mac-sticky enable
access-group input PERMITALL
service-policy input VLAN10-INTER-MMPM
no shutdown
interface vlan 15
bridge-group 2
no normalization
access-group input PERMITALL
no shutdown
interface bvi 2
ip address 192.168.100.7 255.255.255.192
alias 192.168.100.6 255.255.255.192
peer ip address 192.168.100.8 255.255.255.192
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.100.1
Many thanks,
Damian

Thanks for replying James,
I am sure I configured the capture only for VLAN10 which is in the VIP side.
But you are right, it looks like is showing both VLAN10 and VLAN15. So that is one of my theories out of the window! :)
This is a new installation, still on the testing stage. So it would be good time to make changes.
Do you normally implement a routed setup behind a firewall? Rather than a bridgedâ¦.
It is quite a small setup:
â¢ Traffic is coming from a separate local subnet
â¢ Traffic is not coming from the internet so it does not required a NAT
â¢ We need 1 VIP listening on two ports
â¢ The backend servers are four Linux boxes
Thanks again,
Damian

No ip with router in bridge mode

i am running a 2009 mac pro, os x server, with some minor and ultimately forgotten changes to unix level services like PHP.
it's been customized, but everything works. Except for one thing, under peculiar circumstances, and I really need help to fix the problem.
here it is as quickly as I can describe it:
I am running an airport extreme router off of my brand new FIOS router (wifi out of the airport). The FIOS router wants the airport in "bridge mode" (if you do not know what bridge mode is, you probably cannot help me,) When I set the airport to bridge mode, my computer cannot get an ip address. it can't see the router, and it doesn't seem to be able to see it at all.
I have 2 computers in addition to this (older mac pro, and a brand new Macbook Air) that don't even need to be nudged. they just work.
I have 3 iDevices that work without complaint as wel.
I also have a wii, a PS3 that, again, without any prodding, accept the change to bridge mode, and get on with it.
can anyone out there suggest any possibilities here?
the only things that are majorly different is that the airport extreme is changed over to bridge mode, and the IP address list is different. (1.92.168... vs the 10.0.1....)
I can work without being in bridge mode, but it robs me of performance, and I like to follow the rules.

Grant, the only true statement was the first one.
the APE is smart enough to do all of the other things you suggest, automatically.
I know that I mentioned that there are a lot of other devices and that They do not have any difficulty when the router is switched into bridge mode. Let me be more sussinct...
No other internet appliance on the network (and there are quite a few) has any difficulty connecting to the internet automatically and without even the slightest adjustment, once the APE is put into bridge mode.
but since I am trying to figure this out, I have more information.
first, my mac pro does seem to have an ip address from the router, in that I was mistaken. It has an IP and it cannot connect to the internet.
second, I decided to try to connect to the FIOS router's wifi directly, to try to determine where the problem is, and it appears that I have the exact same problem directly connected to the Fios Router's wifi.
any inspiration would be appreciated, but I think I might know what is going on. the Mac Pro wants one specific IP address. I think I might have given it a static IP years ago, and there might be some Unixy things I have to do to undo that.

ACE in bridged mode and multicast

We have configured an ACE SM in bridge mode and have a requirement to enable multicast on one of the networks where the back-end servers are residing. Will ACE support multicast out of the box, or will we need to do any tweaking on the ACE to enable the multicast support?
Thanks..

Hi Gilles,
Is it also supported in routed mode?
The ace isn't doing multicast routing right?
Actually, the server-side vlan is being routed on the C6500 and has pim sparse-dense mode enabled.
We want to move this server-side vlan behind the ace in routed mode. What about the pim?
Any ideas?
thanks,
Dario

Guest Networking with Time Capsule - bridge mode?

Hi, hopefully someone can help.
I'm trying to set up guest networking with my time capsule but it's currently set up in bridge mode so it wont let me.
When I try it in public IP address mode it says 'The DHCP range you have entered conflicts with the WAN IP address of your Airport wireless device'
I'm completely new to networking and have no idea what most of these terms mean, despite googling them all!
Can anyone advise on what I need to do to get it all set up?
Thanks in advance, any help much appreciated!!
Andy

Is there no way I could switch off part of the router so it just becomes a modem (or are they completely different things)?
It might be possible to convert the gateway to function as a simple bridge only modem, but that would involve checking with the support folks for the device. I doubt that your service provider will provide any assistance with this, because they will likely claim that this type of configuration is not supported.
So, look to see who actually manufactured the device and check with their online forum or support site to see if the conversion to a simple bridge only modem is possible.
You don't indicate whether you have cable of DSL service, and that will of course affect things as well. If you need to go to a simple modem, the best choice is always a device offered by your service provider, so that you will be supported in the event of Internet connection difficulties.
If you try an off-the-shelf modem and have any problems, your service provider will offer little or no support. Often, you can get a free modem from your provider in return for a commitment of a year's service. Might be worth checking that out.

Time Capsule with Extreme in Bridge Mode

I want to connect a Time Capsule (latest version) to an Airport Extreme (latest version) in bridge mode. Is it possible to have a guest network with this configuration? If so, how do I configure the stations?

I currently own the latest version of Airport Extreme (not in bridge mode) and was thinking about adding a Time Capsule for extending the network in my home and for data backups.
OK, got that. You asked about a Guest Network earlier.....does the AirPort Extreme currently provide both a "main" and "guest" network?
I wanted to make the T.C. my main router and wire it to my existing Extreme (after a factory reset).
Here, I am confused.....since you just noted that you wanted to add the Time Capsule to extend the AirPort Extreme network? In that case, the Time Capsule will extend the main network....and the guest network provided by the AirPort Extreme.
But....the Time Capsule will not be the main router in this type of setup. It will be the extending device.....unless.....you mean to say that you plan to swap roles and locate the Time Capsule where the Airport Extreme currently is located and vice versa. Is this what you want to do?
From what i've read on Apple sites, I should set the A.E. in bridge mode, correct?
You don't need to set the extending router in Bridge Mode.....AirPort Utility will do that for you automatically during the setup.
It sounds like you may be reading some older support documents and thinking that you must manually configure Bridge Mode. This is no longer required. The extending device will be configured in Bridge Mode by AirPort Utility. You do not have to worry about doing this yourself.

How to setup LAPAC1750-PRO with LAPAC1750 Workgroup Bridge Mode as WiFi Extender

I've got following devices:
1 LRT224 Dual WAN Gigabit VPN Router (Load Balancing)
2 LAPAC1750-PRO Access Points
6 LAPAC1750 Access Points
I'm supposed to make a Cluster between 2 LAPAC1750-PRO and then connect the 6 LAPAC1750 using Workgroup Bridge Mode, but after purchasing and while configuring, I found the strage thing that:
If I need to setup a Workgroup Bridge Mode, the clustering will not be available (so I need to modify the changes on either PRO APs whenever I need to perform some) and the Bridge Mode needs to be disable if Clustering is ON or vice versa.
Spoiler (Highlight to read)
+--- The Configuration ---+
I've made 2 subnets:
192.168.1.x (Existing)
192.168.10.x (New)
and configured 4 APs on each (1 PRO and 3 Normal using Trunking between 2 HP 1910 24 Switches) and then again found some strange thing that:
Only 1 Normal AP can be connected to PRO in a Workgroup Bridge Mode, and vice versa.
+--- The Configuration ---+I've made 2 subnets:192.168.1.x (Existing)192.168.10.x (New)and configured 4 APs on each (1 PRO and 3 Normal using Trunking between 2 HP 1910 24 Switches) and then again found some strange thing that: Only 1 Normal AP can be connected to PRO in a Workgroup Bridge Mode, and vice versa.
+--- The Problem ---+
--- Please correct me if I'm wrong
It supposed to extend the Wireless Range, therefore I need to do the following:
PRO AP needs to connect to the AP 1 of and the AP 1 then connects to AP 2 and so on in Workgroup Bridge Mode ...
OR
All the APs needs to connect to the PRO one by registering one by one in Workgroup Bridge Mode
Thanx in Advance

Thanx! The information is very helpful.

Design question: ACE module connected to 2 different L3 engine while in bridge mode

fellow engineers,
i have been working on a design model , where the ACE mldule will provide SLB for both virtual and real servers. we have been deploying several UCS systems and the customer would like to use the ACE as our Enterprise SLB layer
configured in bridcge mode.
the msfc within the 6509 provide the L3 routing. however we may extends multiple vlans (v160-v163) via nexus switch layer (7k,5k,2k) to a FW appliance which now is the svi interface for the extended vlans. these vlans will be configured on a dedicated context.
the extension is based on the bridge mode operation as follow:
need help with the following:
1) if i have 4 bvi's configured, do i need to have default route configured?
2) my total count for vlans are: v160-v163 for server vlans, and v101 is the management vlan. the svi for this vlan is on the msfc card. the server GW are pointing to each dedicated svi's on the FW+L3 apliance.
3) if my default route on the context is pointing to the v160 svi on the FW+L3 engine, will that prevent the return traffic for other vlans ( v161-v163) from the ace toward the client?
4) is default route neccessary if you hae the ace in bridge mode.
it was brought to my attention that if you have multiple vlans configured in bridge mode pointing to another L3 engine, then each vlan would have to be configured on seperate context since you can only have one default route per context.
i appreciate any feedback on this inquiry. if you need additional information please le me know.
thanks and best regards,
raman azizian

Hi Raman,
You can have up to eight default routes in one context. What the ACE is doing with the entries is to create a ARP-entry with the name GATEWAY. If you need more then eight entries, just declare gateway as rservers. In that case the ARP-entry is stored as RSERVER instead of GATEWAY. The trick is to tell ACE to learn the MAC-address for the IP-address and store it int the ARP-table. The ACE never learn for itself a MAC-address. Don't forget mac-sticky enable on vlan's facing gateway.
I'm running one context in bridge mode and have 18 bvi's with FW and Router 6509 as gateways.
Exampel:
Interface to ROUTER 6509
interface vlan 300
bridge-group 300
no normalization
mac-sticky enable
access-group input BPDU
access-group input alla
access-group output alla
service-policy input lb-int-vlan300
no shutdown
rserver host 300GATEWAY
ip address 164.135.121.47
inservice
A#1/prod1# sho arp | i 164.135.121.47
164.135.121.47 00.08.e3.ff.fc.14 vlan300   RSERVER    4775   239 sec      up
A#1/prod1#
Interface to FIREWALL
interface vlan 802
bridge-group 802
no normalization
mac-sticky enable
access-group input BPDU
access-group input alla
access-group output alla
service-policy input lb-int-vlan802
no shutdown
rserver host 802GATEWAY
ip address 192.168.137.1
inservice
192.168.137.1   00.23.33.6a.bf.80 vlan802   RSERVER    4785   5 sec        up
Regards
Mats

ACE 4710 in bridge mode not working

I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router   (vlan 13: IP 172.16.11.254)
     |
ACE     (int gig1/2)
     |
L2 Switch
     |
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
    inservice
rserver srv2
    inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
    permit
policy-map type loadbalance first-match slb
class class-default
    sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan

" I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles.

ACE dropped conns problem (Bridged mode)

Dear all,
I configured an ACE in bridged mode (inside vlan: 2012, outside vlan: 2021) and I apply the L4 policy on the 2 VLAN interface to loadbalance HTTP incoming request (Virtual IP: 172.22.22.130).
interface vlan 2112
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface vlan 2122
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
But I need also that some other server connected to the same vlan 2112 and having to send HTTP request on the same VIP but this failed and I get dropped conns.
Can anyone helps?
Regards
Abdelaziz

Hi Olivier,
This below the full config, and my need is to make a server in the inside VLAN 2112 (172.22.22.121) to open HTTPS connexion on the VIP (172.22.22.130 for rserver .131 & .132). Trafic from the outside is working well.
Thanx,
Abdealziz
Generating configuration....
access-list BPDU-Allow ethertype permit bpdu
probe tcp HTTPS
port 443
interval 15
passdetect interval 15
passdetect count 1
probe icmp PING
interval 5
rserver host CASHUB131
ip address 172.22.22.131
inservice
rserver host CASHUB132
ip address 172.22.22.132
inservice
serverfarm host SFARM-EXCAS130
probe HTTPS
rserver CASHUB131
    inservice
rserver CASHUB132
    inservice
parameter-map type connection TCP_IDLE_30min
set timeout inactivity 1800
class-map match-all CLASS-L4-VIP-EXCAS130
2 match virtual-address 172.22.22.130 any
class-map type management match-any REMOTE-ACCESS
description management ACE
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
31 match protocol https any
32 match protocol snmp any
policy-map type management first-match REMOTE-MGT
class REMOTE-ACCESS
    permit
policy-map type loadbalance first-match POLICY-L7-VIP-EXCAS130
class class-default
    serverfarm SFARM-EXCAS130
policy-map multi-match POLICY-LB-HMC-2112
class CLASS-L4-VIP-EXCAS130
    loadbalance vip inservice
    loadbalance policy POLICY-L7-VIP-EXCAS130
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
interface vlan 2112
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface vlan 2122
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface bvi 1
ip address 172.22.22.250 255.255.255.0
peer ip address 172.22.22.251 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.22.22.254

ACE30-MOD-k9 in bridge mode. Individual server in the same vlan of Real Servers not reacheable.

I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
    inservice
rserver RS_WEB2
    inservice
rserver RS_WEB3
    inservice
rserver RS_WEB4
    inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
    sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
    sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
    loadbalance vip inservice
    loadbalance policy HTTP
    loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
Francesco

Hi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal

ACE30_MOD-K9 in bridge mode. Individual servers in the same vlan of rserver not reach.

I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
    inservice
rserver RS_WEB2
    inservice
rserver RS_WEB3
    inservice
rserver RS_WEB4
    inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
    sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
    sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
    loadbalance vip inservice
    loadbalance policy HTTP
    loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
Francesco

Hi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal

Waas traffic interseption with ace

i will use ACE for waas traffic interception and i need help in:
1. if i used ace so there is no need to wccp for traffic interception Right?
2.if i used ace should i make 3 vlans vlan10 for clints(face wan) vlan12 for waes & vlan11 for datacenter
make in 6500 interface vlan10 and give it ip 10.1.1.1 should i give interface vlan10 in ACE 10.1.1.1 (the same ip in 6500& ace) is taht logical to give same interafce vlan ip in two devices or will taht generate duplicated ip error
3.if it right can i make static route in ACE to 6500 interface vlan10"ip route 0.0.0.0 0.0.0.0 10.1.1.1"?
4.when i define access-list in ace to define traffic which could be routed through ACE if I deny certain network (permit only network that i wand to redirect to WAEs)will the other traffic routed through 6500 to core) i will use "transparent" in server farm & no ip normal. in other words can i consider access-list in ACE like access-list i'm using in wccp.
5.the topology i have 2 6500 and i will install 2 ACE (1 ACE in each 6500) and i will attach 1 WAE in each 6500 switch one vlan for WAEs and i will make server farm and allocate 2 WAEs in it and i will define server farm in 2 ACEs and make default route in to ACEs to interface vlan 10.1.1.1 in this way will ACE load balance btween 2 WAEs and traffic interception work well or not?
and finally i'm sorry for these many questions but i think i will find the answers.

Usama,
Here are the answers to your questions:
1. Correct.
2. You would not configure the same IP address on the ACE and MSFC. As far as how the VLANs should be configured, that somewhat depends on your deployment. What you have described would be common if you are deploying ACE in bridged mode. In routed mode, you can deploy ACE in a one-arm configuration.
3. Yes.
4. ACE does not pass traffic by default. You must explicitly permit the traffic you want to pass. Said differently, if you do not permit the traffic in your ACL, it will be dropped.
5. If you are using a single context in ACE, they will be active/passive (i.e. only one ACE module will handle traffic at any given point in time). The configuration will automatically be synchronized between the active and passive modules.
How are you planning to get traffic to the ACE module?
Zach

PBR with ACE in bridge mode

Similar Messages

Maybe you are looking for