Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Silver

ACE - VIP address on different subnet

Hello,

Is it possible to configure a VIP address that is different from the VLAN subnet where it is applied on?

Fe:

VIP is 10.10.10.1/24 on VLAN 10

Interface of ACE in VLAN 10 is 192.168.1.1/24

On the upstream routers, a static route points to the VIP address (subnet) with next-hop the ACE address?

Thanks.

6 REPLIES

Re: ACE - VIP address on different subnet

yes its possible.

Syed Iftekhar Ahmed

Silver

Re: ACE - VIP address on different subnet

Hi,

I tried to configure this, but without a client, rserver, routers... to test it.

I configured 3 class maps to match a VIP address. 2 where fake and 1 was real (2 in other subnet then ACE interface and 1 in the subnet of the ACE interface).

When I did a sh arp, only the real one showed up as VSERVER. The other 2 wheren't there.

Like I said, I didn't have the possibility to test it, so I can't confirm if it is working or not.

Could you please command?

Thanks in advance.

Re: ACE - VIP address on different subnet

Unfortunately I dont have a test environment either to verify this.

I dont think you will see arp entries as the address doesnt belong to an interface.

You should see the VIPs active (sh service policy detail) for these non-interface VIPs.

If those are active then I think once client request hits the ACE it should take care of it.

I have deployed such solution with FWSM (no VIPs there but used Natted addresses not belonging to any attached interface ) and as per that experience I think it should work.

But yes you need actual clients to test this scenario.

Syed

Silver

Re: ACE - VIP address on different subnet

Thanks,

once I have the chance of testing this, I will update this topic.

New Member

Re: ACE - VIP address on different subnet

Hello,

You should think of the "other subnet" VIP addresses as existing on a virtual interface inside the ACE and being routed through the outside interface of the ACE. They will not show up in a "show arp".

We use this often, both in routed and bridged ACE contexts, and it works very nicely.

I wish you luck with this. :-)

/Claus

New Member

Re: ACE - VIP address on different subnet

Dario,

I have also used this method to indicate the availability of our internal firewall interface for intelligent advertisement of the default route out of the corporate network (ie...using RHI). The routing for this is quite stable and working well also.

SteveK.

398
Views
4
Helpful
6
Replies
CreatePlease to create content