cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
967
Views
0
Helpful
4
Replies

ACE bridge-mode issue

lukaszkhalil
Level 1
Level 1

Hello

I've configured the ACE with two bridge-groups bvi1 and bvi2. I have a VIP configured in the bridge-group1 which is available from the outside network, but it is inaccessible from the host in the subnet behind the bridge-group2.When I do the same test with the rserver ip address it works.

Does such communication is allowed through the ACE and if yes how I can configure it.

My config looks like that

access-list any line 8 extended permit ip any any
access-list any line 16 extended permit icmp any any
access-list nat line 8 extended permit ip host 10.0.100.1 any

rserver host R1
  ip address 192.168.13.101
  inservice
rserver host R2
  ip address 192.168.202.99
  inservice

serverfarm host S1
  rserver R1 8080
    inservice

class-map match-any L4
  2 match virtual-address 192.168.13.200 tcp eq www

policy-map type loadbalance http first-match L7
  class class-default
    serverfarm S1

policy-map multi-match L4
  class L4
    loadbalance vip inservice
    loadbalance policy L7
    loadbalance vip icmp-reply

interface vlan 200
  bridge-group 1
  access-group input any
  access-group output any
  service-policy input L4
  no shutdown
interface vlan 201
  bridge-group 1
  access-group input any
  access-group output any
  no shutdown
interface vlan 202
  bridge-group 2
  access-group input any
  access-group output any
  no shutdown
interface vlan 203
  bridge-group 2
  access-group input any
  access-group output any
  no shutdown

interface bvi 1
  ip address 192.168.13.5 255.255.255.0
  no shutdown
interface bvi 2
  ip address 192.168.202.5 255.255.255.0
  no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.13.3
ip route 0.0.0.0 0.0.0.0 192.168.202.3

Client 192.168.202.99 is trying to access the VIP (192.168.13.200).

What is more I am wondering how ace works with the two def gw. Is such communication secure enough ?

switch/test(config)# do sh ip route

Routing Table for Context test (RouteId 2)

   Codes: H - host,   I - interface
          S - static,      N - nat
          A - need arp resolve,      E - ecmp

Destination         Gateway          Interface         Flags
------------------------------------------------------------------------
0.0.0.0             192.168.202.3    vlan202           SE [0x4c]
0.0.0.0             192.168.13.3     vlan200           SE [0x4c]
192.168.13.0/24     0.0.0.0          bvi1              IA [0x30]
192.168.202.0/24    0.0.0.0          bvi2              IA [0x30]

Thank you in advance

Lukas

4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

configure your service policy - service-policy input L4 - under the bridge-group2 inbound interface.

Gilles.

Hello


I apologize that I answer so late but I was on holidays.

I've configured the service-policy L4 under the interface vlan 203, but it had not helped.

I am attaching the current config (a bit modified from the last config)

Do you know what else can I do ?

Thank you in advance

Lukas

do you have any hits on that policy when you try to connect from vlan 203 ?

Do a 'show service-policy' to verify and send me the result.

Gilles.

Hi

I double-checked it and it worked. Previously I had checked it by icmp to the VIP, and this time I checked it with http/https connection.

I still could not ping the VIP ip address from the 192.168.202.99 real server although the feature "loadbalance vip icmp-reply" is configured correctly in the policy-map.

Regards

Lukas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: