×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACE30-MOD-K9 in bridge mode

Unanswered Question
Jun 19th, 2014
User Badges:

I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm, but doesn't belong at this serverfarm.

I thought that the traffic directed to this "spare" server shouldn't  be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?

What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?

 

In rispect the following configuration i can't reach serve 10.10.10.168 via http.

This server doesn't belong to any serverFarm

--------------------------------------------------------------------------------------------

access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any


probe http HTTP_PROBE1
  expect status 200 200


rserver host RS_WEB1
  ip address 10.10.10.163
  inservice
rserver host RS_WEB2
  ip address 10.10.10.164
  inservice
rserver host RS_WEB3
  ip address 10.10.10.165
  inservice
rserver host RS_WEB4
  ip address 10.10.10.167
  inservice

serverfarm host SF_FIREGROUP
  rserver RS_WEB1
    inservice
  rserver RS_WEB2
    inservice
  rserver RS_WEB3
    inservice
  rserver RS_WEB4
    inservice

sticky ip-netmask 255.255.255.255 address source sticky-ip
  replicate sticky
  serverfarm SF_FIREGROUP

sticky http-cookie myCookie sticky-cookie
  cookie insert browser-expire
  serverfarm SF_FIREGROUP

class-map match-any VS_FIREGROUP
  2 match virtual-address 10.10.10.169 tcp eq www
  4 match virtual-address 10.10.10.169 tcp eq 8081
  5 match virtual-address 10.10.10.169 tcp eq 8082
  6 match virtual-address 10.10.10.169 tcp eq 8083
  7 match virtual-address 10.10.10.169 tcp eq 8084
  8 match virtual-address 10.10.10.169 tcp eq 8085
  9 match virtual-address 10.10.10.169 tcp eq 8097

class-map match-any VS_FIREGROUP_HTTPS
  2 match virtual-address 10.10.10.169 tcp eq https

policy-map type loadbalance first-match HTTP
  class class-default
    sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
  class class-default
    sticky-serverfarm sticky-ip

policy-map multi-match HTTP_HTTPS_MULTI_MATCH
  class VS_FIREGROUP
    loadbalance vip inservice
    loadbalance policy HTTP
    loadbalance vip advertise active
  class VS_FIREGROUP_HTTPS
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip advertise active

interface vlan 4
  bridge-group 1
  access-group input INBOUND
  service-policy input HTTP_HTTPS_MULTI_MATCH
  no shutdown

interface vlan 700
  bridge-group 1
  access-group input INBOUND
  no shutdown

interface bvi 1
  ip address 10.10.10.150 255.255.255.0
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.10.1

 

Thanks a lot

Francesco

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nkarthikeyan Fri, 06/20/2014 - 10:34
User Badges:
  • Gold, 750 points or more

Hi Francesco,

 

Why you want to use the subnet of the server farm to a server which is not participating in LB group. Because your router/mfsc will route the traffic destined to the entire subnet to ACE where it does the LB with the available servers . I believe the LB is protecting/blocking the communication that happens to the server which is not in the list.

 

There should someway to get this done through policy-map or something.... i will let you know if i find out any option.

 

HTH

 

Regards

Karthik

Actions

This Discussion