Hi,

I tried to configure this, but without a client, rserver, routers... to test it.

I configured 3 class maps to match a VIP address. 2 where fake and 1 was real (2 in other subnet then ACE interface and 1 in the subnet of the ACE interface).

When I did a sh arp, only the real one showed up as VSERVER. The other 2 wheren't there.

Like I said, I didn't have the possibility to test it, so I can't confirm if it is working or not.

Could you please command?

Thanks in advance.

Unfortunately I dont have a test environment either to verify this.

I dont think you will see arp entries as the address doesnt belong to an interface.

You should see the VIPs active (sh service policy detail) for these non-interface VIPs.

If those are active then I think once client request hits the ACE it should take care of it.

I have deployed such solution with FWSM (no VIPs there but used Natted addresses not belonging to any attached interface ) and as per that experience I think it should work.

But yes you need actual clients to test this scenario.

Syed

Thanks,

once I have the chance of testing this, I will update this topic.

Hello,

You should think of the "other subnet" VIP addresses as existing on a virtual interface inside the ACE and being routed through the outside interface of the ACE. They will not show up in a "show arp".

We use this often, both in routed and bridged ACE contexts, and it works very nicely.

I wish you luck with this. :-)

/Claus

Dario,

I have also used this method to indicate the availability of our internal firewall interface for intelligent advertisement of the default route out of the corporate network (ie...using RHI). The routing for this is quite stable and working well also.

SteveK.