ACE in bridged mode doesn't work

Answered Question
Apr 3rd, 2009

Hi,

the customer has ACE with version 2.1.2. He has configured ACE context for bridging:

logging enable

logging console 7

logging buffered 7

switch-mode

access-list acl-bridge line 5 extended permit ip any any

probe tcp PR_Test

interval 300

passdetect interval 8

open 2

rserver host SR-Test

ip address 172.17.249.21

inservice

serverfarm host SF-Test

probe PR_Test

rserver SR-Test

inservice

class-map match-all VIP-Test-Class

2 match virtual-address 172.17.249.20 tcp eq www

policy-map type loadbalance first-match VIP-Test-MapL7

class class-default

serverfarm SF-Test

policy-map multi-match Test-MapL4

class VIP-Test-Class

loadbalance vip inservice

loadbalance policy VIP-Test-MapL7

loadbalance vip icmp-reply active

interface vlan 217

bridge-group 17

access-group input acl-bridge

access-group output acl-bridge

service-policy input Test-MapL4

no shutdown

interface vlan 218

bridge-group 17

access-group input acl-bridge

access-group output acl-bridge

no shutdown

interface bvi 17

ip address 172.17.249.18 255.255.255.240

no shutdown

on the Cat6500

interface Vlan217

ip vrf forwarding dmz

ip address 172.17.249.17 255.255.255.240

end

The server has Default GW: 172.17.249.17

I think that the configuration is right. When he test it - the direct access on the server is working, but the load-balancing on the VIP address doesn't work:-( He has to add default route for enabling load-balancing function (ip route 0.0.0.0 0.0.0.0 172.17.249.17). So where is problem??? I think that the default route is not neccessary, because it is L2 topology and ACE only bridge between vlans!! The server has default GW on the Cat6500. Thank you. Roman

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 7 years 9 months ago

You can create static arp entries for the gateway.

Or configure the gateway as rserver.

The thing is we need to see the mac-address for the source of the traffic in our arp table.

But before testing anything in the dark, get the commands I asked for to verify this is the problem and not something else.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
cstockwe Sun, 04/05/2009 - 14:08

Hi Roman

Have you assigned the vlans on the 6500 to the ace module?

I have something like this on my configs:

svclc autostate

svclc multiple-vlan-interfaces

svclc vlan-group 1 27,28,40

svclc vlan-group 2 310,311,312

svclc vlan-group 3 10,11,12

firewall module 1 vlan-group 1,2

svclc module 2 vlan-group 2,3

(module 1 is a fwsm and module 2 is the ace).

Have a check there if you think your config is ok. Have a look at the attached cisco guide for configuring the ace in bridge mode.

Cameron

ROMAN TOMASEK Sun, 04/05/2009 - 23:23

Hi,

thank you for your answer and the configuration guide. The customer has configured svclc groups. So there is not a problem with vlan - he can direct connect to the servers without load-balancing. The load-balancing is working only when the default route is configured on the ACE. But I think that the load-balancing has to work without the default route!!! Because this is the L2 solution. When the customer will have for example three BVIs and three VIPs from these three IP subnets - so three default routes will be configured for LB!!! It is not possible:-(

dario.didio Mon, 04/06/2009 - 01:36

Hi,

maybe a dumb question, but your server its port is configured in vlan 218?

Gilles Dufour Mon, 04/06/2009 - 03:38

do a 'show np 1 me-stat "-socm"'.

Check if the following counter increments :

Drop [mac lookup fail]: 0 0

Drop [route lookup fail]: 0 0

Also do the following :

switch/Admin# sho np 1 me-stats "-sicm -v" | i look

If lookup error: 0 0

encap lookup error: 0 0

Route lookup Error: 0 0

ACE should have a static route because it needs to know the source of the traffic.

If you later on switches to L7 loadbalancing it will also need a static route.

So, better configure one.

Gilles.

ROMAN TOMASEK Mon, 04/06/2009 - 06:03

Thank you. I tried these show commands.

About static route -

When I will have this configuration:

interface bvi 17

ip address 172.17.249.18 255.255.255.240

interface bvi 18

ip address 172.18.249.18 255.255.255.240

interface bvi 19

ip address 172.19.249.18 255.255.255.240

class-map match-all VIP-Test-Class

2 match virtual-address 172.17.249.20 tcp eq www

class-map match-all VIP-Test-Class1

2 match virtual-address 172.18.249.20 tcp eq www

class-map match-all VIP-Test-Class2

2 match virtual-address 172.19.249.20 tcp eq www

which default route I will have to configure??

ip route 0.0.0.0 0.0.0.0 172.17.249.17 or

ip route 0.0.0.0 0.0.0.0 172.18.249.17 or

ip route 0.0.0.0 0.0.0.0 172.19.249.17

Thank you

Roman

Gilles Dufour Mon, 04/06/2009 - 12:11

You need all 3 of them.

We're not using them to route but just to verify the source of the traffic.

Gilles.

ROMAN TOMASEK Tue, 04/07/2009 - 11:17

is possible to disable the verification of the source of traffic on the ACE module?

Correct Answer
Gilles Dufour Tue, 04/07/2009 - 23:17

You can create static arp entries for the gateway.

Or configure the gateway as rserver.

The thing is we need to see the mac-address for the source of the traffic in our arp table.

But before testing anything in the dark, get the commands I asked for to verify this is the problem and not something else.

Gilles.

Actions

This Discussion