Reg:FWSM router mode issue

Similar Messages

• ACE bridge mode , FWSM routed mode

  i have the following senario:
  MSFC ---vlan 777----FWSM----vlan160---ACE----VLAN180
  FWSM is working in routed mode and vlan 777 is shared between the MSFC and FWSM
  ACE is working in bridged mode and vlan 160 is shared between the FWSM and ACE
  vlan 180 is the server side vlan
  i want he FWSM ip address to be the Server gateway while ACE module in
  bridge mode
  i create bvi interface but i can't ping from ACE to FWSM or from FWSM to
  ACE
  if i change ACE to routed mode , i can ping to FWSM
  any body can help me in this issue?

  The config looks good.
  I would look at the arp table on FWSM and ACE when the ping fails and also capture a sniffer trace of ACE tengig interface and see if the ping request goes out - on which vlan - and if we get a response.
  Is evertyhing else working ?
  Like ping through the ACE module ?
  Your config does not show a 'no shutdown' on the vlan interface, but I assume you fixed that already.
  Gilles.

• Sharing a VLAN between FWSM and ACE (Routed Mode)

  Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
  I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
  I wanted to configure it like this.
  firewall vlan group 10 <FWSM only vlans>
  firewall vlan group 20 <shared FWSM and ACE vlan>
  or
  svclc vlan group 20 <shared FWSM and ACE vlan>
  svclc vlan group 30 <ACE only vlans>
  The design hides the client side network and the server side network for the ACE behind the FWSM module.
  Layout:
  |-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
  So allocation on the 65xx would be like this.
  firewall module n vlan-group 10,20
  svclc module n vlan-group 20,30
  Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
  FWSM and ACE will be in routed mode.
  Thanks for reading...
  Roble

  Never mind...
  Just found the perfect answer for this in a another posting from Syed.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
  Roble

• ACE routed mode design issue

  I am configuring ACE in routing mode ,
  Below is my ACE interface config.
  interface vlan 28
    description "CLIENT VLAN"
    ip address 192.168.10.11 255.255.255.248
    peer ip address 192.168.10.12 255.255.255.248
    mtu 1500
    mac-sticky enable
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    service-policy input POLICY
    no shutdown
  interface vlan 29
    description "SERVER VLAN"
    ip address 192.168.10.19 255.255.255.248
    peer ip address 192.168.10.20 255.255.255.248
    mtu 1500
    mac-sticky enable
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    service-policy input POLICY
    no shutdown
  When I  configuring my servers in vlan 29 and  point the default gateway to 192.168.10.19  it works fine no issues,but when this ACEs goes down and the standby becomes active ,my servers default gateway will be still pointing to 192.168.10.19  do i need to manually change it .20
  or can I configure HSRP,Please advise me on this

  Hi ,
  Yes the alias should be set as gateway for the servers.
  The alias is a shared address between the peers. This address will be on the ACTIVE ace. 
  Regards
  Dan

• Design FWSM in transparent or routed mode in the DC !!!

  Hi guys ,i was wondering with so many security zones in the server farm or DC and according to FWSM's capability of supporting only two interfaces in transparent mode which design is really the best one? i mean using multiple context in transparent mode or just using the whole system in routed mode ???
  Thanks in advance ,...

  As per my experiance, there should be real justice and need to go for Transperent mode. To fully utilize the box capability and to play around with your network, always prefer Routed mode. Transperent mode is also difficult to trouble shoot.
  Choose transperent mode to insert a firewall in a previously unprotected network, and to put firewall without out disturbing the network..
  regards
  Prasad

• Ace routing mode desging issue

  need some assistance in configuring an application using routing mode on cisco ace
          clients ---asa--3750--cisco ace--- servers behind vip
                                                              |
                                                            visa card transaction servers
  i am able to setup a vip on ace using routing mode on ACE,as the  servers need to see the client ip ,so we are not  performing SNAT,this  part is working fine
  when a request comes from the client ,it goes to the vip and to one of the backend servers ,and the request will be forwaded back to the ace ,as the default gateway on the servers is pointing to the server vlan on ace.
  but if the transaction from the servers need to go to the visa card transaction servers ,how can we acheive this ,and after fetching the data from visa servers,does the reply will be fwd to the ACE or ASAs directly
  Or do we need to have static routes defined on the visa servers to point to ASA
  please advise me on this

  Clint
  No they are completely in a different network ,
  When a client hits the VIP ,the request goes to the ASA
  ASA fwd the  vip traffic to the ACE (VIP) interface  ,and from there it fwd the traffic to the (server vlan) interface and to the appropriate backend servers.
  Backend server responds back to the (server vlan ) interface and the traffic fwd back to the ASA.
  But when  visa card transaction need to take place ( farm servers ) need to route the traffic to the visa servers which will be in different subnet range .
  Do the farm serevrs send the request back to the ASA and can we configure static routes on ASA to point to the visa servers.
  Are on the farm servers can we have static routes for the visa servers
  Or can I defind static routes on ACEs for the visa servers.

• I have an Airport Extreme as my router and am using time capsule to extend the network in my new house. My ISP is only providing me 4-5 ip addresses and wants me to set up my router to issue out new ip addresses for all my devices.How do I fix this?Help

  I have an Airport Extreme as my router and am using time capsule to extend the network in my new house. My ISP is only providing me 4-5 ip addresses and wants me to set up my router to issue out new ip addresses for all my devices.How do I fix this?Help.
  They said I need to change my settings to NAT settings. I haven't been able to figure out or find anything. I have also spoken to Apple Support on the phone for hours without being able to figure out how to do this ( i don't think he knew much either lol.) Please help me because I've got about 15-20 devices in my house that require to be connected to the internet and this is just making things ridiculously slow and painful for me.
  Thanks!

  It is on DHCP & NAT under router mode yet my isp is still the one issuing ip addresses to my devices instead of the router issuing them

• How to configure a RV220W in normal routing mode (No NAT)

  Hi,
  I have been very busy the last few days in trying to configure this router in normal routing mode. I do not want to have double NAT in my network. This is my setup:
  C class IP network connected to the internet via a Fritzbox router. I need this router becasue of the VOIP services it provides. I want to use the RV220W to isolate certain users from the rest of the network. When I configure the router in WAN (NAT) it partially works, e.g. I can browse, send email but cant make a connection to a apple fileserver which is on the base network. When I try to operate in normal routing mode I cant get it to work. I am sure I am doing something wrong with the static routes. 
  Setup: 
  Internet <-> Fritzbox (192.168.12.0/24) network <-> RV220W <-> LAN 1 (192.168.1.0/24) users to be isolated.
  On the 192.168.12..0/24 network the printer, fileserver and PBX are connected. 
  Please help me in configuring this.
  The firmware is the latest 1.0.5.8.
  Thanks in advance!
  Peter

  Hello Peter,
  Sorry for the late reply, but I figured I would post anyone in case anyone else has this question.
  You can put the router in what is called router mode by logging into the admin page and going to Networking >> Routing >> Routing Mode and selecting Router.  
  I am only looking at an emulator, but I believe this will cause a reboot.  Once in router mode NAT and the firewall are disabled, however access rules do still work.  
  You will still need a static route from your Fritzbox to the 192.168.1.0/24 network on the RV220W, and the RV220W should have the Fritzbox as it's default gateway on it's WAN interface.  You may also need to create an ACL to allow traffic from the Fritzbox network through the RV's WAN port.
  Some Apple devices depend on the Bonjour protocol to work properly, which doesn't always traverse subnets well, so if after all of that it still doesn't work you may have an issue with Apple.
  Thank you for choosing Cisco,
  Christopher Ebert
  Network Support Engineer - Cisco Small Business Support Center

• ACE in routed mode

  My first question, can anyone recommend some very heavy reading discussing the ACE modules and associated traffic flows and order of operations?  Not just how-to scenarios.
  And the primary question that brings me here:
  I've got an ACE module in a 6500 chassis that's configured for routed mode.  For the purpose of this question we'll say that on the ACE I have a single VLAN for vIPs and a single VLAN for rservers.  vIP VLAN is 12 and rserver VLAN is 101.  I have a pair of App servers being load balanced, and a pair of Web servers being load balanced.
  When user devices send traffic to the Web servers vIP, traffic hits the SVI for VLAN 12 and the service-policy is applied manipulating that traffic and sending it to the VLAN 101 SVI and on down to an rserver.  The same if user devices are sending traffic to the App servers vIP.
  When a Web server tries to send over to the App servers vIP, I get no response.  In fact, from the Web server I can't even ping my gateway (SVI for VLAN 101).  How do I get the Web server to send traffic loadbalanced across the App servers?
  Here's an example ACE config:
  access-list ALL line 8 extended permit ip any any
  probe tcp 5555
    port 5555
    interval 5
    passdetect interval 30
  probe http HTTP
    interval 5
    passdetect interval 30
    expect status 200 200
  rserver host APP01
    description App Server 1
    ip address 10.10.101.15
    probe 5555
    inservice
  rserver host APP02
    description App Server 2
    ip address 10.10.101.16
    probe 5555
    inservice
  rserver host WEB01
    description Web Server 1
    ip address 10.10.101.17
    probe HTTP
    inservice
  rserver host WEB02
    description Web Server 2
    ip address 10.10.101.18
    probe HTTP
    inservice
  serverfarm host APP-SERVERS
    predictor leastconns
    rserver APP01
      inservice
    rserver APP02
      inservice
  serverfarm host WEB-SERVERS
    predictor leastconns
    rserver WEB01
      inservice
    rserver WEB02
      inservice
  sticky ip-netmask 255.255.255.255 address both WEB-STICKY
    replicate sticky
    serverfarm WEB-SERVERS
  sticky ip-netmask 255.255.255.255 address both APP-STICKY
    replicate sticky
    serverfarm APP-SERVERS
  class-map match-any APP-VIP
    description App Servers VIP
    2 match virtual-address 10.10.12.21 tcp eq 5555
  class-map match-any WEB-VIP
    description Web Servers VIP
    2 match virtual-address 10.10.12.20 tcp eq https
    3 match virtual-address 10.10.12.20 tcp eq www
  policy-map type loadbalance first-match L7-APP-SERVERS
    class class-default
      sticky-serverfarm APP-STICKY
  policy-map type loadbalance first-match L7-WEB-SERVERS
    class class-default
      sticky-serverfarm WEB-STICKY
  policy-map multi-match L4-CONTEXT-A-VLAN
    class WEB-VIP
      loadbalance vip inservice
      loadbalance policy L7-WEB-SERVERS
      loadbalance vip icmp-reply
    class APP-VIP
      loadbalance vip inservice
      loadbalance policy L7-APP-SERVERS
      loadbalance vip icmp-reply
  interface vlan 12
    description ACE-CONTEXT-A-vIPs
    ip address 10.10.12.5 255.255.252.0
    alias 10.10.12.4 255.255.252.0
    peer ip address 10.10.12.6 255.255.252.0
    access-group input ALL
    service-policy input MGMT-ACCESS
    service-policy input L4-CONTEXT-A-VLAN
    no shutdown
  interface vlan 101
    description ACE-CONTEXT-A-SERVERS
    ip address 10.10.101.2 255.255.255.0
    alias 10.10.101.1 255.255.255.0
    peer ip address 10.10.101.3 255.255.255.0
    access-group input ALL
    no shutdown

  Hi Adam,
  You can check Gilles'  DC t-shooting guides that should give you a very good overwiew about packet processing on the ACE; also you can check
  the Cisco wiki site where you find the scenarios plus a detailed explanation for traffic management.
  Now going back to your issue, you problem can be splitted in two parts.
  1. Web server not able to ping VLAN 101 ACE's SVI.
  ACE is a closed device, meaning that access to each Interface/VLAN needs to be explicitly configured; you need to apply the management policy
  to the 101 SVI to allow ICMP or any other management protocol. You can apply the same (service-policy input MGMT-ACCESS) or create a new
  one just for ICMP, that's up to you.
  2. Web servers not able to communicate with APP servers thorugh VIP.(vise-versa)
  Problem here is that servers are trying to communicate through SVI 101 but no VIPs are applied to it so the ACE will simply discard the packets
  for 10.10.12.20/10.10.12.21 on that interface, servers have the ARP and everything to reach those VIPs but the ACE has not been instructed to do
  load balancing for clients reaching it out through VLAN 101.
  In order to do load balancing between APP & Web Servers you need to configure  L4-CONTEXT-A-VLAN on SVI 101 as well.
  Also since your servers are sitting all in the same VLAN you're going to need client NAT to prevent assymetric routing on server-to-server communications.
  I've attached a sample with NAT based on your config.
  HTH
  Pablo

• CSM route mode and bridge mode can exist at the same time?

  I'm using CSM on ver 4.x,and I used to the bridge mode for firewall load balance,for a new requset,I have to create a new server/client vlan,but the original firewall load balance was effected when I issued the server vlan command,and I'd like to use route mode for the new server farm,I'm wondering that route mode and brige mode can't exist at the same time,because it seems it doesn't make sense.Any reply will be very appreciated.

  you can use bridge mode and route mode at the same time.
  Traffic with desintation mac address being the CSM will be routed, otherwise it will be bridged.
  Gilles.

• WAN Port & Router Mode

  Can someone please explain to me how to properly configure two linksys routers (such as WRT54G) so that one is an internet gateway and the other is a router for a different subnet but can still access the internet through the other router's gateway.
  Obviously the internet gateway router would be in "gateway" mode and the second router would be in "router" mode.  I'm assuming that the cable should run from the WAN port of the second router to a LAN port on the gateway router.
  With this configuration in mind, what settings would I need to adjust in order for these two routers to successfully communicate with one another and for pcs on both routers to successfully communicate with each other through the routers.  Also, I need all pcs, regardless of the router to which they are connected, to access the internet through the gateway router.
  Do I need to ajust RIP settings?  Static routes?  Static IP addresses?
  Any help is greatly appreciated!

  I have had some success! But not much . I restarted the adsl router and was assigned an ip address for my MBP and could connect to the internet through the new wireless network.  Yee-ha.  But when I try to add additional devices to that network they will not connect unless I restart the adsl router each time.  Also when I disconnect and try reconnect my MBP to the new wireless network we are back to square one unless I restart the router.  So it looks like it is a router issue.  I would be really grateful for any suggestions as to what I should change on the adsl router??  It is a TP-Link TDW8961ND.

• Bridge mode and router mode

  hello,
  I want to understand the basic operation, difference and advantages of both Bridge Mode and Router mode?
  i also want to know in which case i should go for Bridge mode and Router mode?
  regards
  Devang

  It realy depends on your requirements.
  Mainly bridge mode is used for multicast support, Multiple DMZs + FWSM, server initiated connections or for seemless migration from previously installed "bridged load balancing environment".
  Some of the differences are
  In bridge mode you do not need additional config for "Direct server access" / "Server Initiated connections"
  Broadcasts are dropped in routed mode whereas they are bridged in bridge mode.
  LB functionality is same in both modes.
  Syed Iftekhar Ahmed

• ASA In Data Centers, why not routed mode?

  Hi Guys,
  As i can see, Cisco is recommending for the ASAs to be in transparent mode in data centers, my question, why not routed mode?
  How to decide? what is the problem in having the routing on ASA?
  I know that transparent mode is easier to place, but in my case it is new design and i want to use the interface vlans on the ASA not core. so the gateway of each server will be the ASA.
  what is the problem here? why it is not recommended?
  I'm using ASA clustering as well over two DCs.
  In Cisco links they explain why to use Transparent mode, but i couldn't find what is the problems/limitation in using routed mode?
  Any clue?
  Thanks & Regards,
  Rami

  but in my case it is new design and i want to use the interface vlans on the ASA not core. so the gateway of each server will be the ASA.
  If that's the case use routed mode on your ASA.
  Cisco's design docs are a great place to start but there is nothing that says you have to follow them to the letter, you modify them to fit with what you need.
  Bear in mind as well that it's not an either or choice. With contexts you can have some in transparent mode and some in routed mode so you have flexibility.
  I don't know what design guides you are referring to but it may be that they include some L2 features eg.
  a long while back we wanted to RRI (Reverse Route Injection) from a CSM load balancer that was behind a firewall. For it to work the CSM had to be L2 adjacent to the 6500 which meant you couldn't use the FWSM in L3 mode.
  Not saying you want to do that but it is an example of where other parts of the design can dictate how you run your firewalls.
  Jon

• Difference between bridge mode and routed mode on CSS

  Hi,
  Could some one tell me the difference between routed mode and bridge mode.
  Regards
  Neha

  Hi,
  routed mode:
  The CSS acts as a router, it routes packets from the client to the server. The server has the ACE configured as default-gateway.
  There is a client-side VLAN and a server-side VLAN. These VLANs have different subnets.
  Bridged mode:
  The CSS acts as a bridge, it switches frames from the client to the server. The server has the upstream router configured as default-gateway.
  There is a client-side VLAN and a server-side VLAN. These VLANs have the same subnet, but different VLAN IDs. The ACE bridges the client traffic from the client-side VLAN to the server-side VLAN.
  Bridged mode would be most used in case one cannot change the servers IP addresses, or if address space is an issue.
  Hope this helps.
  Kind regards,
  Dario

• Can VIP and Rservers be in the same subnet in ACE Routed Mode

  Good Day,
  Sorry for the lengthy post.
  Currently I have a 6509s running in VSS mode with ACE30 in each chassis.
  I have 5 vlans, which the VSS is the L3 interface for each. 1 Vlan is for management, the others are the data vlans for the servers.
  The ACE is configured in bridge mode, with all VLANs going to a specific context (non Admin).
  Some of the Host on each VLANs are not utilized for load-balancing. The default gateway for each VLAN is configured on the VSS.
  I would like to setup the ACE in the routed mode, without having to change the IP address of each servers on different VLANs.
  Basically I want to turn off the SVIs on VSS and move the L3 interface on the ACE Context, and let it perform the local routing for all the hosts.
  I was going to add a new /30 L3 interface between the VSS and ACE to be utilized for default route traffic coming from the ACE Context, and static routes from VSS to ACE for traffic destined to host that are being load-balanced and not being load-balanced. Basically force the traffic through the load-balancer in/out.
  For future deployment, I was planning on using different IP address for the VIPs, and Real servers (most likely RFC 1918).
  From most of the examples I have seen the VIP and Rservers are in different Subnets. But because I am trying to not change the IP address of the rservers and VIP, I wanted to know if the VIP and Rservers can be configured to be in the same subnet where the ACE is in routed mode.
  Unfortunately I don't have a spare ACE to test scenario.
  As always any help would greatly be appreciated.
  Regards,
  Raman

  Link-local addresses are usually the self assigned IP address that a device will set when a DHCP server cannot be found. These are the addresses with 169.254.x.x subnet.
  If the router is assigning IP addresses for your network, then they will usually have a different IP subnet, possibly 192.168.0 for D-Link. And this subnet would be for the wired and wireless connections. So it would be more a case of bridging the two network topolgies rather than routing them.
  The network host is busy message could be more to do with the driver and the IP protocol selected when creating the queue than the connection being broken between the Mac and printer. If you were to open Network Utility and select the Ping tab, enter the IP address of the HP and set the pings to 4, pressing the Ping button will soon show if there is a path through the wireless to the printer.
  If you get a response to the ping you could then open Safari and type the ip address as the URL. This would then connect to the internal web page of the printer and possibly let you enable an IP protocol like LPR so that you can use LPD on the Mac instead of Bonjour to connect to the printer.
  As for the driver, you could look at using a Gutenprint driver instead of the HP driver or the hpijs package to get past the limitations that some printer drivers have with network connections.