ACE redundancy with bridge mode

Unanswered Question
May 26th, 2009

I need configure redundancy between two ACE modules (no problem). There is context in bridge mode. My question is, in which state is standby context. Is it in blocked state (that means, it not ansfer to any L2 requests) similar as for example ASA? I need explain loop-free topology.

can anybody explain me, how it works?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (2 ratings)
ciscocsoc Tue, 05/26/2009 - 03:01

The link to the standby context should be blocked, but you will need to allow BPDU traffic through the ACE. In the context define an ACL and apply it to both VLAn Interfaces. e.g.

access-list BPDU ethertype permit bpdu

interface vlan 387

bridge-group 387

access-group input BPDU

access-group input PERMIT-ALL

service-policy input L4POLICY

no shutdown

interface vlan 388

bridge-group 387

access-group input BPDU

access-group input PERMIT-ALL

no shutdown



Martin Kyrc Tue, 06/23/2009 - 22:47

IP access list and service-policy are attached to vlan interface, or bvi interface? I think bvi is correct, because only this one is L3 interface. I'm sure?

dario.didio Wed, 06/24/2009 - 00:17


No, you should configure your ACLs and service-policies on the VLAN interfaces, not the BVI.

You should follow the traffic flow:

It is send by the upstream router into a particular VLAN (client-side) towards the VIP address (which is located inside the client-side VLAN and is reachable via the VLAN interface on the ACE). That is where you need to put your ACLs and service-policies.

Same way for the return traffic, it enters the ACE via the VLAN interface.



Martin Kyrc Wed, 06/24/2009 - 00:24


thanks for explanation.

on the bvi interface are configured only ip address, peer ip address aj alias address (for vip) without any access-group. right?


dario.didio Wed, 06/24/2009 - 00:43

Yes, that's correct.

If you have a redundant setup, don't forget to allow the Spanning-tree BPDUs!

Create an ACL that permits BPDUs and configure it on the both ACEs on the client- and serverside:

access-list NONIP ethertype permit bdpu

int vlan 10 ! client-side

access-group input NONIP

int vlan 20 ! server-side

access-group input NONIP

more info:

Please rate if this was useful for you.

Kind regards,



This Discussion