Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
9
Helpful
5
Replies

ACE redundancy with bridge mode

Martin Kyrc
Level 3
Level 3

‎05-26-2009 01:33 AM

I need configure redundancy between two ACE modules (no problem). There is context in bridge mode. My question is, in which state is standby context. Is it in blocked state (that means, it not ansfer to any L2 requests) similar as for example ASA? I need explain loop-free topology.

can anybody explain me, how it works?

Labels:
0 Helpful
5 Replies 5

ciscocsoc
Level 4
Level 4

‎05-26-2009 03:01 AM

The link to the standby context should be blocked, but you will need to allow BPDU traffic through the ACE. In the context define an ACL and apply it to both VLAn Interfaces. e.g.

access-list BPDU ethertype permit bpdu

interface vlan 387

bridge-group 387

access-group input BPDU

access-group input PERMIT-ALL

service-policy input L4POLICY

no shutdown

interface vlan 388

bridge-group 387

access-group input BPDU

access-group input PERMIT-ALL

no shutdown

HTH

Cathy

0 Helpful

Martin Kyrc
Level 3
Level 3
In response to ciscocsoc

‎06-23-2009 10:47 PM

IP access list and service-policy are attached to vlan interface, or bvi interface? I think bvi is correct, because only this one is L3 interface. I'm sure?

0 Helpful

dario.didio
Level 4
Level 4
In response to Martin Kyrc

‎06-24-2009 12:17 AM

Hi,

No, you should configure your ACLs and service-policies on the VLAN interfaces, not the BVI.

You should follow the traffic flow:

It is send by the upstream router into a particular VLAN (client-side) towards the VIP address (which is located inside the client-side VLAN and is reachable via the VLAN interface on the ACE). That is where you need to put your ACLs and service-policies.

Same way for the return traffic, it enters the ACE via the VLAN interface.

HTH,

Dario

0 Helpful

Martin Kyrc
Level 3
Level 3
In response to dario.didio

‎06-24-2009 12:24 AM

Dario,

thanks for explanation.

on the bvi interface are configured only ip address, peer ip address aj alias address (for vip) without any access-group. right?

martin

0 Helpful

dario.didio
Level 4
Level 4
In response to Martin Kyrc

‎06-24-2009 12:43 AM

Yes, that's correct.

If you have a redundant setup, don't forget to allow the Spanning-tree BPDUs!

Create an ACL that permits BPDUs and configure it on the both ACEs on the client- and serverside:

access-list NONIP ethertype permit bdpu

int vlan 10 ! client-side

access-group input NONIP

int vlan 20 ! server-side

access-group input NONIP

more info:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/bridge.html#wp1174530

Please rate if this was useful for you.

Kind regards,

Dario

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents