05-26-2009 01:33 AM
I need configure redundancy between two ACE modules (no problem). There is context in bridge mode. My question is, in which state is standby context. Is it in blocked state (that means, it not ansfer to any L2 requests) similar as for example ASA? I need explain loop-free topology.
can anybody explain me, how it works?
05-26-2009 03:01 AM
The link to the standby context should be blocked, but you will need to allow BPDU traffic through the ACE. In the context define an ACL and apply it to both VLAn Interfaces. e.g.
access-list BPDU ethertype permit bpdu
interface vlan 387
bridge-group 387
access-group input BPDU
access-group input PERMIT-ALL
service-policy input L4POLICY
no shutdown
interface vlan 388
bridge-group 387
access-group input BPDU
access-group input PERMIT-ALL
no shutdown
HTH
Cathy
06-23-2009 10:47 PM
IP access list and service-policy are attached to vlan interface, or bvi interface? I think bvi is correct, because only this one is L3 interface. I'm sure?
06-24-2009 12:17 AM
Hi,
No, you should configure your ACLs and service-policies on the VLAN interfaces, not the BVI.
You should follow the traffic flow:
It is send by the upstream router into a particular VLAN (client-side) towards the VIP address (which is located inside the client-side VLAN and is reachable via the VLAN interface on the ACE). That is where you need to put your ACLs and service-policies.
Same way for the return traffic, it enters the ACE via the VLAN interface.
HTH,
Dario
06-24-2009 12:24 AM
Dario,
thanks for explanation.
on the bvi interface are configured only ip address, peer ip address aj alias address (for vip) without any access-group. right?
martin
06-24-2009 12:43 AM
Yes, that's correct.
If you have a redundant setup, don't forget to allow the Spanning-tree BPDUs!
Create an ACL that permits BPDUs and configure it on the both ACEs on the client- and serverside:
access-list NONIP ethertype permit bdpu
int vlan 10 ! client-side
access-group input NONIP
int vlan 20 ! server-side
access-group input NONIP
more info:
Please rate if this was useful for you.
Kind regards,
Dario
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide