Cisco ACE with 2 bridge groups.

Answered Question
Sep 16th, 2008

Hi,

Is ti possible to configure the ACE with 2 bridge-groups. I for now have the following configuration at this works fine :

peer hostname ace-2

login timeout 0

hostname ace-1

boot system image:c6ace-t1k9-mz.A2_1_2.bin

clock timezone standard CET

access-list BPDU ethertype permit bpdu

access-list client-traffic-26 line 10 extended permit tcp any host 10.0.26.100 e

q www

access-list server-traffic-26 line 20 extended permit ip host 10.0.26.10 any

access-list server-traffic-26 line 21 extended permit ip host 10.0.26.11 any

rserver host test-1

ip address 10.0.26.10

inservice

rserver host test-2

ip address 10.0.26.11

inservice

serverfarm host test

rserver test-1

inservice

rserver test-2

inservice

class-map match-all L4_VIP_ADDRESS_CLASS

2 match virtual-address 10.0.26.100 any

class-map type management match-any Remote-Access

description Remote Management

2 match protocol telnet any

3 match protocol ssh any

4 match protocol icmp any

policy-map type management first-match Remote-Management-Allow

class Remote-Access

permit

policy-map type loadbalance first-match L7_VIP_LB_ORDRE_POLICY

class class-default

serverfarm test

policy-map multi-match L4_LB_VIP_POLICY

class L4_VIP_ADDRESS_CLASS

loadbalance vip inservice

loadbalance policy L7_VIP_LB_ORDRE_POLICY

loadbalance vip icmp-reply active

loadbalance vip advertise active

service-policy input L4_LB_VIP_POLICY

interface vlan 2

ip address 10.0.1.11 255.255.255.0

alias 10.0.1.13 255.255.255.0

service-policy input Remote-Management-Allow

no shutdown

interface vlan 26

bridge-group 26

access-group input BPDU

access-group input client-traffic-26

no shutdown

interface vlan 626

bridge-group 26

access-group input server-traffic-26

no shutdown

interface bvi 26

ip address 10.0.26.2 255.255.255.0

alias 10.0.26.4 255.255.255.0

peer ip address 10.0.26.3 255.255.255.0

no shutdown

ft interface vlan 504

ip address 172.30.254.13 255.255.255.252

peer ip address 172.30.254.14 255.255.255.252

no shutdown

ft peer 1

heartbeat interval 300

heartbeat count 10

ft-interface vlan 504

ft group 1

peer 1

priority 105

associate-context Admin

inservice

ip route 0.0.0.0 0.0.0.0 10.0.26.1

This also works fine but only when the default-route is in the config.

Then my question is how I add another BVI and vlan for client & server traffic.

That could be vlan 27, vlan 627 and bvi 27 with ip add 10.0.27.2/24

I can't have 2 default routes :)

Regards Kim

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 8 years 4 months ago

Kim

Default gateway in bridged mode is not relevant to the Loadbalanced trafic. In bridged mode your real servers point to upstream L3 device (router/MSFC/Firewall).

Default gateway is only needed for ACE originated Management traffic (logs, snmp...).

Thats the reason why your deafult gateway should be pointing towards the management VLAN.

In order to ensure that the server responses should go back to the same client Vlan where the request was recieved use "mac-sticky" under each client vlan.

I would also suggest creating a Dummy rserver with Gateway IP. This will ensure that ACE will constantly resolve ARP for the gateway and the ARP entry for gateway will not timeout on ACE.

HTH

Syed Iftekhar Ahmed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Syed Iftekhar Ahmed Tue, 09/16/2008 - 04:54

Yes

As long as your vlans are different

you can have multiple bridge groups.

You cannot share vlans in bridge mode.

Syed Iftekhar Ahmed

kholst Tue, 09/16/2008 - 06:30

Ok, thats whar I thought. But if I remove the default-gatewy I have configured or chage it to the management interface 10.0.1.1 the LB dosen't funktion any more.

The servers are placed in vlan 626 and hav FWSM as default gateway.

Any idea ?

Ragards Kim

Correct Answer
Syed Iftekhar Ahmed Tue, 09/16/2008 - 09:07

Kim

Default gateway in bridged mode is not relevant to the Loadbalanced trafic. In bridged mode your real servers point to upstream L3 device (router/MSFC/Firewall).

Default gateway is only needed for ACE originated Management traffic (logs, snmp...).

Thats the reason why your deafult gateway should be pointing towards the management VLAN.

In order to ensure that the server responses should go back to the same client Vlan where the request was recieved use "mac-sticky" under each client vlan.

I would also suggest creating a Dummy rserver with Gateway IP. This will ensure that ACE will constantly resolve ARP for the gateway and the ARP entry for gateway will not timeout on ACE.

HTH

Syed Iftekhar Ahmed

kholst Tue, 09/16/2008 - 23:15

Hi Syed.

mac-sticky fixed it.

Thanks.'

Regards Kim

Actions

This Discussion