Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
576
Views
0
Helpful
4
Replies

Transparent design with router on both sides?

olemariuss
Level 1
Level 1

‎07-30-2010 06:21 AM

I am looking to solve a design which has to work in two scenarios. Preferably with an in-line solution.

1. Transparent design with VRF on both sides:

FW-VRF (Subnet A)

      |

      | (VLAN 11)

      |

ACE (Subnet A)

      |

      | (VLAN 12)

      |

LAN-VRF

      |

      |  (VLAN 13)

      |

Real servers (Subnet B)

2. Transparent design in plain bridge mode

FW-VRF (Subnet A)

      |

      | (VLAN 11)

      |

   ACE (Subnet A)

      |

      | (VLAN 12)

      |

Real servers (Subnet A)

As mentioned, I am aiming for a single design for both scenarios. A routed design will not pass in the first scenario and a one-arm solution will be inefficient in the second scenario. (both due to existing infrastructure) Is it possible to solve this with a transparent solution in both scenarios? I can't seem to get it to work.

Thanks in advance for any help!

Labels:
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎07-30-2010 06:40 AM

Not sure why you say the 2nd scenario is inefficient.

one-arm is when you have only 1 interface -- so all traffic goes in and out the same interface.

In your option #2 this is clearly not one-armed.  Traffic will come in vlan 11 and go out vlan 12.

This is transparent/bridge.

So sounds like the option that you are looking for.

Gilles.

0 Helpful

olemariuss
Level 1
Level 1
In response to Gilles Dufour

‎07-30-2010 06:43 AM

That is correct. It is not a one-arm design. All I am saying is that I want to avoid having to use a one-arm design to satisfy both scenarios because the existing topology where scenario 2 is relevant is inefficient. (this is solely on the network I am working on, not as a general)

All I am asking is that if a transparant/bridge will work in both scenarios as I am looking for a single design to ease difference in configuration throughout the network.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to olemariuss

‎07-30-2010 06:54 AM

yes, bridge mode will work in both scenario.

Bridge mode is the best option if you do not want to change the current design...you can keep the same ip addressing and the same default gateway for your servers and simply insert ace in bridge mode between the 2 by just changing vlan ids.

Gilles.

0 Helpful

olemariuss
Level 1
Level 1

‎08-02-2010 05:17 AM

I'm gonna expand my question a bit as I can not seem to get a working config in scenario 1. From the ACE I can ping the VRFs on both side of the ACE. I can on the other hand not ping neither the bvi-address of the ACE nor one VRF from the other. Can anyone notice any immediate errors in my config? Thanks in advance for any help!

Addresses:

10.3.66.1 - FW_VRF on client side

10.3.66.6 - LAN_VRF on server side

10.3.66.7 - BVI if on ACE

===Admin===

resource-class TEST_res
limit-resource all minimum 10.00 maximum unlimited

boot system image:c4710ace-mz.A3_2_0.bin

hostname 4710Appl
interface gigabitEthernet 1/1
description Management port
switchport access vlan 752
no shutdown
interface gigabitEthernet 1/2
description Client side LAN
switchport trunk allowed vlan 2522
no shutdown
interface gigabitEthernet 1/3
description Server side LAN
switchport trunk allowed vlan 2524
no shutdown
interface gigabitEthernet 1/4
shutdown

access-list BPDU ethertype permit bpdu

access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
2 match protocol ssh any
3 match protocol icmp any
4 match protocol snmp any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit

interface vlan 752
description Management VLAN
ip address 10.7.52.63 255.255.255.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown

ip route 0.0.0.0 0.0.0.0 10.3.66.1

context TEST_context
allocate-interface vlan 752
allocate-interface vlan 2522
allocate-interface vlan 2524
member TEST_res
context TEST_context_routed

username admin password 5 $1$bale5EiS$bEdquz.bbcW3wRcfeSzbu/  role Admin domain
default-domain
username www password 5 $1$bsOdgxav$1uywtkwFEj3QalKaOTrkZ1  role Admin domain de
fault-domain
ssh key rsa 1024 force

===Application context===

access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any

class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
2 match protocol ssh any
3 match protocol icmp any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit

interface vlan 752
ip address 10.7.52.64 255.255.255.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface vlan 2522
description Client side VLAN
bridge-group 1
access-group input ALL
access-group output ALL
no shutdown
interface vlan 2524
description Server side VLAN
bridge-group 1
access-group input ALL
access-group output ALL
no shutdown

interface bvi 1
ip address 10.3.66.7 255.255.255.240
no shutdown

ip route 0.0.0.0 0.0.0.0 10.3.66.1

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents