Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE bridge-mode issue

Hello

I've configured the ACE with two bridge-groups bvi1 and bvi2. I have a VIP configured in the bridge-group1 which is available from the outside network, but it is inaccessible from the host in the subnet behind the bridge-group2.When I do the same test with the rserver ip address it works.

Does such communication is allowed through the ACE and if yes how I can configure it.

My config looks like that

access-list any line 8 extended permit ip any any
access-list any line 16 extended permit icmp any any
access-list nat line 8 extended permit ip host 10.0.100.1 any

rserver host R1
  ip address 192.168.13.101
  inservice
rserver host R2
  ip address 192.168.202.99
  inservice

serverfarm host S1
  rserver R1 8080
    inservice

class-map match-any L4
  2 match virtual-address 192.168.13.200 tcp eq www

policy-map type loadbalance http first-match L7
  class class-default
    serverfarm S1

policy-map multi-match L4
  class L4
    loadbalance vip inservice
    loadbalance policy L7
    loadbalance vip icmp-reply

interface vlan 200
  bridge-group 1
  access-group input any
  access-group output any
  service-policy input L4
  no shutdown
interface vlan 201
  bridge-group 1
  access-group input any
  access-group output any
  no shutdown
interface vlan 202
  bridge-group 2
  access-group input any
  access-group output any
  no shutdown
interface vlan 203
  bridge-group 2
  access-group input any
  access-group output any
  no shutdown

interface bvi 1
  ip address 192.168.13.5 255.255.255.0
  no shutdown
interface bvi 2
  ip address 192.168.202.5 255.255.255.0
  no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.13.3
ip route 0.0.0.0 0.0.0.0 192.168.202.3

Client 192.168.202.99 is trying to access the VIP (192.168.13.200).

What is more I am wondering how ace works with the two def gw. Is such communication secure enough ?

switch/test(config)# do sh ip route

Routing Table for Context test (RouteId 2)

   Codes: H - host,   I - interface
          S - static,      N - nat
          A - need arp resolve,      E - ecmp

Destination         Gateway          Interface         Flags
------------------------------------------------------------------------
0.0.0.0             192.168.202.3    vlan202           SE [0x4c]
0.0.0.0             192.168.13.3     vlan200           SE [0x4c]
192.168.13.0/24     0.0.0.0          bvi1              IA [0x30]
192.168.202.0/24    0.0.0.0          bvi2              IA [0x30]

Thank you in advance

Lukas

4 REPLIES
Cisco Employee

Re: ACE bridge-mode issue

configure your service policy - service-policy input L4 - under the bridge-group2 inbound interface.

Gilles.

New Member

Re: ACE bridge-mode issue

Hello


I apologize that I answer so late but I was on holidays.

I've configured the service-policy L4 under the interface vlan 203, but it had not helped.

I am attaching the current config (a bit modified from the last config)

Do you know what else can I do ?

Thank you in advance

Lukas

Cisco Employee

Re: ACE bridge-mode issue

do you have any hits on that policy when you try to connect from vlan 203 ?

Do a 'show service-policy' to verify and send me the result.

Gilles.

New Member

Re: ACE bridge-mode issue

Hi

I double-checked it and it worked. Previously I had checked it by icmp to the VIP, and this time I checked it with http/https connection.

I still could not ping the VIP ip address from the 192.168.202.99 real server although the feature "loadbalance vip icmp-reply" is configured correctly in the policy-map.

Regards

Lukas

688
Views
0
Helpful
4
Replies
CreatePlease login to create content