ACE bridge-mode issue

Unanswered Question
Jul 14th, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hello

I've configured the ACE with two bridge-groups bvi1 and bvi2. I have a VIP configured in the bridge-group1 which is available from the outside network, but it is inaccessible from the host in the subnet behind the bridge-group2.When I do the same test with the rserver ip address it works.

Does such communication is allowed through the ACE and if yes how I can configure it.

My config looks like that

access-list any line 8 extended permit ip any any
access-list any line 16 extended permit icmp any any
access-list nat line 8 extended permit ip host 10.0.100.1 any

rserver host R1
  ip address 192.168.13.101
  inservice
rserver host R2
  ip address 192.168.202.99
  inservice

serverfarm host S1
  rserver R1 8080
    inservice

class-map match-any L4
  2 match virtual-address 192.168.13.200 tcp eq www

policy-map type loadbalance http first-match L7
  class class-default
    serverfarm S1

policy-map multi-match L4
  class L4
    loadbalance vip inservice
    loadbalance policy L7
    loadbalance vip icmp-reply

interface vlan 200
  bridge-group 1
  access-group input any
  access-group output any
  service-policy input L4
  no shutdown
interface vlan 201
  bridge-group 1
  access-group input any
  access-group output any
  no shutdown
interface vlan 202
  bridge-group 2
  access-group input any
  access-group output any
  no shutdown
interface vlan 203
  bridge-group 2
  access-group input any
  access-group output any
  no shutdown

interface bvi 1
  ip address 192.168.13.5 255.255.255.0
  no shutdown
interface bvi 2
  ip address 192.168.202.5 255.255.255.0
  no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.13.3
ip route 0.0.0.0 0.0.0.0 192.168.202.3

Client 192.168.202.99 is trying to access the VIP (192.168.13.200).

What is more I am wondering how ace works with the two def gw. Is such communication secure enough ?

switch/test(config)# do sh ip route

Routing Table for Context test (RouteId 2)

   Codes: H - host,   I - interface
          S - static,      N - nat
          A - need arp resolve,      E - ecmp

Destination         Gateway          Interface         Flags
------------------------------------------------------------------------
0.0.0.0             192.168.202.3    vlan202           SE [0x4c]
0.0.0.0             192.168.13.3     vlan200           SE [0x4c]
192.168.13.0/24     0.0.0.0          bvi1              IA [0x30]
192.168.202.0/24    0.0.0.0          bvi2              IA [0x30]

Thank you in advance

Lukas

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Mon, 07/19/2010 - 06:55

configure your service policy - service-policy input L4 - under the bridge-group2 inbound interface.

Gilles.

lukaszkhalil Wed, 08/18/2010 - 13:34

Hello


I apologize that I answer so late but I was on holidays.

I've configured the service-policy L4 under the interface vlan 203, but it had not helped.

I am attaching the current config (a bit modified from the last config)

Do you know what else can I do ?

Thank you in advance

Lukas

Gilles Dufour Wed, 08/18/2010 - 16:08

do you have any hits on that policy when you try to connect from vlan 203 ?

Do a 'show service-policy' to verify and send me the result.

Gilles.

lukaszkhalil Sun, 08/22/2010 - 23:25

/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hi

I double-checked it and it worked. Previously I had checked it by icmp to the VIP, and this time I checked it with http/https connection.

I still could not ping the VIP ip address from the 192.168.202.99 real server although the feature "loadbalance vip icmp-reply" is configured correctly in the policy-map.

Regards

Lukas

Actions

This Discussion