ACE Implementation Bridging Question

Unanswered Question
Jul 30th, 2009
User Badges:


My customer is looking to undertake ACE Module implementation in favour of legacy installed products.

One of the requirements of the current environment is that some applications have VIPs and servers in the same IP Subnet and same Layer 2 vlan.

I assumed using Bridge Mode (BVI) would be the way to go - but now I am not so sure. The examples of bridge group config I have seen reference the VIP in a separate Layer 2 Vlan to the Servers.

My requirement is to have all in the same Layer 2 Vlan. Is this possible ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Gilles Dufour Thu, 07/30/2009 - 05:15
User Badges:
  • Cisco Employee,

you can have the virtual ip address in the same subnet as the servers.

You do not need bridge mode for that.

However, if you are in bridge mode and can isolate the servers on one side and the clients on the other side, you guarantee that all traffic goes through ace.

In routing mode, in order to guarantee that the server response does not bypass ACE, you need to enable client nat or policy routing or make ACE the default gateway for the servers.


PhilAstbury Thu, 07/30/2009 - 06:21
User Badges:

Thanks for that ... new to this product.

Don't suppose there is a link to documentation for the above ?

Also we have a situation where clients, VIPs and Servers are currently all in the same IP subnet and Layer 2 vlan. Are we saying this is possible by configuring Bridge Mode also ?

Once again, many thanks for the response.

Syed Iftekhar Ahmed Thu, 07/30/2009 - 16:05
User Badges:
  • Blue, 1500 points or more

yes it is possible.

You need two Vlans. clients & Vip will be on one Vlan and the servers on the other Vlan then you will bridge them using ACE.

For e.g

Lets say currently you have VLANX with all users & Servers.

You can create a new Vlan "VLAN Y" , assign all servers to VLAN Y, assign VLAN X & VLAN Y to ACE and bridge VLANY (new vlan) & VLANX (Old VLAN) using ACE.

Now your VIPs & clients will belong the old vlanX (same Ip subnet) & Servers will be on a new VlanY (again same Ip subnet.

If you donot want to use two Vlans

then you will have to use ACE in one arm mode. Simply extend the current vlan to the ACE module and configure SRC NAT/PBR.

Reason behind using SrcNat/PBR is to make sure that return traffic from the servers should not bypass ACE module

(which is not possible in case of bridge mode).



PhilAstbury Fri, 07/31/2009 - 00:11
User Badges:

Hi thanks for that,

so if we want to use bridging mode we need to separate the clients and servers on separate vlans. My follow up is if there are existing traffic flows between the client and servers that we do not want load balanced, just regular flows, does the ACE also perform that bridging function ?

ie. All Layer 2 vlan connectivity works post move with the benefit of having LoadBalancing

Syed Iftekhar Ahmed Fri, 07/31/2009 - 10:09
User Badges:
  • Blue, 1500 points or more

Yes it will work as before.You just need to make sure that you should have ACLs applied to each vlan permitting all such (non-loadbalance)traffic.

Also things to remember in configuring Bridge mode are

1. Enable BPDU forwarding on ACE (to merge STP domains).

2. BPDU guard & Loopguard must be turned off.

Hope this helps

Syed Iftekhar Ahmed


This Discussion