ACE - VIP address on different subnet

Unanswered Question
Oct 30th, 2008
User Badges:
  • Silver, 250 points or more


Is it possible to configure a VIP address that is different from the VLAN subnet where it is applied on?


VIP is on VLAN 10

Interface of ACE in VLAN 10 is

On the upstream routers, a static route points to the VIP address (subnet) with next-hop the ACE address?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
dario.didio Fri, 10/31/2008 - 00:58
User Badges:
  • Silver, 250 points or more


I tried to configure this, but without a client, rserver, routers... to test it.

I configured 3 class maps to match a VIP address. 2 where fake and 1 was real (2 in other subnet then ACE interface and 1 in the subnet of the ACE interface).

When I did a sh arp, only the real one showed up as VSERVER. The other 2 wheren't there.

Like I said, I didn't have the possibility to test it, so I can't confirm if it is working or not.

Could you please command?

Thanks in advance.

Syed Iftekhar Ahmed Fri, 10/31/2008 - 02:39
User Badges:
  • Blue, 1500 points or more

Unfortunately I dont have a test environment either to verify this.

I dont think you will see arp entries as the address doesnt belong to an interface.

You should see the VIPs active (sh service policy detail) for these non-interface VIPs.

If those are active then I think once client request hits the ACE it should take care of it.

I have deployed such solution with FWSM (no VIPs there but used Natted addresses not belonging to any attached interface ) and as per that experience I think it should work.

But yes you need actual clients to test this scenario.


dario.didio Fri, 10/31/2008 - 02:51
User Badges:
  • Silver, 250 points or more


once I have the chance of testing this, I will update this topic.

chjohansen Tue, 11/11/2008 - 12:45
User Badges:


You should think of the "other subnet" VIP addresses as existing on a virtual interface inside the ACE and being routed through the outside interface of the ACE. They will not show up in a "show arp".

We use this often, both in routed and bridged ACE contexts, and it works very nicely.

I wish you luck with this. :-)


stevek1 Tue, 11/11/2008 - 16:00
User Badges:


I have also used this method to indicate the availability of our internal firewall interface for intelligent advertisement of the default route out of the corporate network (ie...using RHI). The routing for this is quite stable and working well also.



This Discussion