Solved: Re: Bridge-Group Virtual Interfaces between context

blankguy7 · ‎05-24-2012

Hi networker,

Actually, I'm beat me about configuring the ACE 4700!

I've read the cisco configuration guide but it is difficult to put all the configuration together! I don't find right example....

I'm trying to configure "Basic Load Balancing Using Bridged Mode on the Cisco Application Control Engine" BUT with two context, "Admin" and "Context1".

We'll find a part of my configuration, rserver and all that stuff is actually not important!

Here is my questions:

- Each context has one VLAN, both are defined in a BVI interface! How to assign this BVI Interface in a port-channel group of two interface gigabit Ethernet 1/2 and 1/3? How to assign BVI Interface in a physical interface?

- Each context has one VLAN, how to enable traffic between this VLAN between each context?

Admin context

interface gigabitEthernet 1/1

[...]

interface gigabitEthernet 1/2

channel-group 1

no shutdown

interface gigabitEthernet 1/3

channel-group 1

no shutdown

interface gigabitEthernet 1/4

[...]

interface port-channel 1

switchport access vlan 10

no shutdown

access-list PERMIT_ALL line 8 extended permit ip any any

access-list PERMIT_ALL line 16 extended permit icmp any any

class-map type management match-any L4_MGMT_CLASS

2 match protocol icmp any

3 match protocol ssh any

4 match protocol https any

5 match protocol xml-https any

policy-map type management first-match L4_MGMT_MATCH

class L4_MGMT_CLASS

permit

interface vlan 10

description "Client Side"

bridge-group 1

access-group input PERMIT_ALL

service-policy input L4_MGMT_MATCH

no shutdown

interface bvi 1

ip address 192.168.10.244 255.255.255.0

peer ip address 192.168.10.245 255.255.255.0

no shutdown

context Context1

allocate-interface vlan 10

allocate-interface vlan 20

Context1 context

access-list PERMIT_ALL line 8 extended permit ip any any

access-list PERMIT_ALL line 16 extended permit icmp any any

class-map type management match-any L4_MGMT_CLASS

2 match protocol icmp any

3 match protocol ssh any

4 match protocol https any

5 match protocol xml-https any

interface vlan 20

description "Server Side"

bridge-group 1

nat-pool 1 192.168.10.249 192.168.10.249 netmask 255.255.255.0 pat

service-policy input L4_MGMT_MATCH

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1

Thanks in advance for your help and fresh idea

jsirstin · ‎05-27-2012

This is a basic one-armed mode config. If this fits your load balancing requirements it is a good option. Only traffic that needs to be load balanced will pass through the ACE. All direct to server or server initiated traffic will bypass the ACE. What is the reason you turned off normalization? If your servers are not pointing to the ACE as the default gateway you can probably leave this security feature enabled. When loadbalancing with this config NAT will force the server reply back to the ACE so the servers gateway can point to the same device as the ACE is using..

Regarding the Admin context; if you are only going to have one context you can do both the Administration and loadbalancing in this context for simplicity, but with multiple contexts it is a good idea to leave the Admin context for Administration only.

If you decide to add more contexts in the futrue you would just need to configure the Gig interfaces on the ACE as well as the connecting switch as trunk links.

Regards

Jim

View solution in original post

jsirstin · ‎05-24-2012

What you are trying to do is not possible. The ACE cannot talk directly from one context to another without first leaving the device either L2 or L3 and then get sent into the 2nd context via the switch or router.

BVIs are only relevant to one context. You create the two vlans and a BVI, and then tie the BVI to the two vlans.

What is the reason for having traffic in the Admin context bridge to the second context? Why not just have vlan 10 and 20 in one context and bridge them together?

Regards

Jim

blankguy7 · ‎05-24-2012

Thanks jsirstin for your answer!

Two context: because we want to separate two differents departments. Yes, with one context it will be simply...

But something is not clear for me!

To simplify my question, I'll say: it is possible to have one VLAN on each context, VLAN1 -> Admin, VLAN2 -> context1 with the same subnet? How to configure routing or bridging between context?

Best regards,

jm

jsirstin · ‎05-24-2012

Blankguy7,

Routing/ bridging between contexts is not possible if both are in the same subnet and both contexts are active on the same ACE.

If you can provide some additional info with your requirements I could help with a sample config. I need to understand your requirements for both load balancing as well as routing/bridging.

Regards

Jim

blankguy7 · ‎05-24-2012

Ok, thanks for you proposition to help me!

We've two departments, one "prod" and one "test". In this departments there're clients and servers. Where the clients want to connect to the servers and applications. Where application is redundant on two or more servers with Load-Balancing.

Example: When the client will connect to a application it call a virtual ip adress, then ACE check a probe (LDAP_PROBE). When the test is ok the ACE will nat the IP address from client and connect to the server. With help from the nat ip address all traffic will be routed between the server and client through the ACE.

2xACE with Port : E1 (mgmt) E2 (IN from clients) E3 (OUT to servers) E4 (FT heartbeat)

so, here my example of my first try, what do you think?

ACE1/Admin# sh run

Generating configuration....

boot system image:c4710ace-t1k9-mz.A5_1_2.bin

hostname ACE1

interface gigabitEthernet 1/1

shutdown

interface gigabitEthernet 1/2

switchport access vlan 10

no shutdown

interface gigabitEthernet 1/3

switchport access vlan 20

no shutdown

interface gigabitEthernet 1/4

shutdown

access-list PERMIT_ALL line 8 extended permit ip any any

access-list PERMIT_ALL line 16 extended permit icmp any any

class-map type management match-any L4_MGMT_CLASS

2 match protocol icmp any

3 match protocol ssh any

4 match protocol https any

5 match protocol xml-https any

policy-map type management first-match L4_MGMT_MATCH

class L4_MGMT_CLASS

permit

interface vlan 10

description "Client Side"

ip address 192.168.10.244 255.255.255.0

access-group input PERMIT_ALL

service-policy input L4_MGMT_MATCH

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1

context PROD

allocate-interface vlan 20

ssh key dsa 1024 force

ACE1/PROD# sh run

Generating configuration....

access-list PERMIT_ALL line 8 extended permit ip any any

access-list PERMIT_ALL line 16 extended permit icmp any any

script file name LDAP_PROBE

probe scripted prvd30_PROBE

port 3930

interval 5

passdetect interval 5

script LDAP_PROBE

rserver host M3000_TEST

ip address 192.168.10.223

inservice

serverfarm host ldapprod

predictor response syn-to-close

probe prvd30_PROBE

rserver M3000_TEST

inservice

parameter-map type http CASE_PARAM

case-insensitive

persistence-rebalance

class-map type management match-any L4_MGMT_CLASS

2 match protocol icmp any

3 match protocol ssh any

4 match protocol https any

5 match protocol xml-https any

class-map match-all ldapprod_CLASS

2 match virtual-address 192.168.10.248 tcp eq 3930

policy-map type management first-match L4_MGMT_MATCH

class L4_MGMT_CLASS

permit

policy-map type loadbalance first-match ldapprod_POLICY

class class-default

serverfarm ldapprod

policy-map multi-match PROD-POLICY

class ldapprod_CLASS

loadbalance vip inservice

loadbalance policy ldapprod_POLICY

loadbalance vip icmp-reply active

appl-parameter http advanced-options CASE_PARAM

interface vlan 20

description "Server Side"

ip address 192.168.10.245 255.255.255.0

no normalization

no icmp-guard

access-group input PERMIT_ALL

access-group output PERMIT_ALL

nat-pool 1 192.168.10.249 192.168.10.249 netmask 255.255.255.0 pat

service-policy input L4_MGMT_MATCH

service-policy input PROD-POLICY

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1

Thank you very much and best regards,

Jérôme

jsirstin · ‎05-25-2012

This will not work. Are you planning on adding any other contexts to the ACE in the furture? If not you could do this all in the Admin context using bridge mode. If you are adding more contexts in the future you could do this in a different context and have the Admin only for management of the ACE but you would need to configure your gig interfaces as trunks to include more than 4 vlans.

In the sample below there are two vlans 10 and 20. Vlan 10 would have all non-loadbalanced servers as well as the defaut gateway of the ACE. This default gateway will be the same for all servers in these two vlans as well.

Vlan 20 is a layer 2 vlan on the switch and this is where the servers that need to be loadbalanced are located.

With this topology you do not need to use nat since the server reply for the loadbalanced servers have to bridge through the ACE to get back to the client.

Just make sure you issue show arp once configured to confirm that the ACE learns load balanced servers on vlan 20 and the gateway on vlan 10.

I put in a sample ft config as well but did not know what vlan you were using for the ft link.

ACE1/Admin# sh run

Generating configuration....

boot system image:c4710ace-t1k9-mz.A5_1_2.bin

hostname ACE1

interface gigabitEthernet 1/1

shutdown

interface gigabitEthernet 1/2

switchport access vlan 10

no shutdown

interface gigabitEthernet 1/3

switchport access vlan 20

no shutdown

interface gigabitEthernet 1/4

shutdown

access-list PERMIT_ALL line 8 extended permit ip any any

access-list PERMIT_ALL line 16 extended permit icmp any any

script file name LDAP_PROBE

probe scripted prvd30_PROBE

port 3930

interval 5

passdetect interval 5

script LDAP_PROBE

rserver host M3000_TEST

ip address 192.168.10.223

inservice

serverfarm host ldapprod

predictor response syn-to-close

probe prvd30_PROBE

rserver M3000_TEST

inservice

parameter-map type http CASE_PARAM

case-insensitive

persistence-rebalance

class-map type management match-any L4_MGMT_CLASS

2 match protocol icmp any

3 match protocol ssh any

4 match protocol https any

5 match protocol xml-https any

class-map match-all ldapprod_CLASS

2 match virtual-address 192.168.10.248 tcp eq 3930

policy-map type management first-match L4_MGMT_MATCH

class L4_MGMT_CLASS

permit

policy-map type loadbalance first-match ldapprod_POLICY

class class-default

serverfarm ldapprod

policy-map multi-match PROD-POLICY

class ldapprod_CLASS

loadbalance vip inservice

loadbalance policy ldapprod_POLICY

loadbalance vip icmp-reply active

appl-parameter http advanced-options CASE_PARAM

interface vlan 10

description "Client Side"

bridge-group1

access-group input PERMIT_ALL

service-policy input L4_MGMT_MATCH

service-policy input PROD-POLICY

no shutdown

interface vlan 20

description "Server Side"

bridge-group 1

access-group input PERMIT_ALL

access-group output PERMIT_ALL

service-policy input L4_MGMT_MATCH

no shutdown

interface bvi 1

ip address 192.168.10.245 255.255.255.0

peer ip address 192.168.10.244 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.10.1

ft interface vlan 601

ip address 1.1.1.2 255.255.

peer ip address 1.1.1.1 255

no shutdown

ft peer 1

heartbeat interval 100

heartbeat count 10

ft-interface vlan 601

query-interface vlan 10

ft group 1

peer 1

no preempt

priority 121

peer priority 120

associate-context Admin

inservice

blankguy7 · ‎05-25-2012

Thanks for your help...

I don't really know if in the future it'll be more context... but I will check that! The context was a desire from chief too but I'll speak to him again...

So, before to test without context I've testing within! As you tell to me, I've defined the admin context for the managment (I must to add a ip address) and the context for the traffic. I wrote this config below... it's a working config and feel free to tell me please what's you're thinking about it.

About ft, I must to define the VLAN and put it at the end of the admin config.

We've defined context for to divide departments for security reason but no one will access on it for management. Only the admin's group will be access on it! In this case, is it really important to have context or not???

ACE1/Admin# sh run

Generating configuration....

boot system image:c4710ace-t1k9-mz.A5_1_2.bin

hostname ACE1

interface gigabitEthernet 1/1

shutdown

interface gigabitEthernet 1/2

no shutdown

interface gigabitEthernet 1/3

switchport access vlan 20

no shutdown

interface gigabitEthernet 1/4

switchport access vlan 10

no shutdown

access-list PERMIT_ALL line 8 extended permit ip any any

access-list PERMIT_ALL line 16 extended permit icmp any any

class-map type management match-any L4_MGMT_CLASS

2 match protocol icmp any

3 match protocol ssh any

4 match protocol https any

5 match protocol xml-https any

policy-map type management first-match L4_MGMT_MATCH

class L4_MGMT_CLASS

permit

interface vlan 10

description "mgmt"

access-group input PERMIT_ALL

service-policy input L4_MGMT_MATCH

context PROD

allocate-interface vlan 20

ACE1/PROD# sh run

Generating configuration....

logging enable

access-list PERMIT_ALL line 8 extended permit ip any any

access-list PERMIT_ALL line 16 extended permit icmp any any

access-list PERMIT_ALL line 24 extended permit tcp any any

access-list PERMIT_ALL line 32 extended permit udp any any

class-map type management match-any L4_MGMT_CLASS

2 match protocol icmp any

3 match protocol ssh any

4 match protocol https any

5 match protocol xml-https any

policy-map type management first-match L4_MGMT_MATCH

class L4_MGMT_CLASS

permit

script file name LDAP_PROBE

probe scripted prvd30_PROBE

port 3930

interval 5

passdetect interval 5

script LDAP_PROBE

rserver host M3000_TEST

ip address 192.168.10.223

inservice

serverfarm host ldapprod

predictor response syn-to-close

probe prvd30_PROBE

rserver M3000_TEST 3930

inservice

parameter-map type http CASE_PARAM

case-insensitive

persistence-rebalance

class-map type management match-any L4_MGMT_CLASS

2 match protocol icmp any

3 match protocol ssh any

4 match protocol https any

5 match protocol xml-https any

class-map match-all ldapprod_CLASS

2 match virtual-address 192.168.10.248 tcp eq 23930

policy-map type management first-match L4_MGMT_MATCH

class L4_MGMT_CLASS

permit

policy-map type loadbalance first-match ldapprod_POLICY

class class-default

serverfarm ldapprod

policy-map multi-match PROD-POLICY

class ldapprod_CLASS

loadbalance vip inservice

loadbalance policy ldapprod_POLICY

loadbalance vip icmp-reply active

nat dynamic 1 vlan 20

appl-parameter http advanced-options CASE_PARAM

interface vlan 20

description "server side"

ip address 192.168.10.245 255.255.255.0

no normalization

no icmp-guard

access-group input PERMIT_ALL

access-group output PERMIT_ALL

nat-pool 1 192.168.10.249 192.168.10.249 netmask 255.255.255.0 pat

service-policy input L4_MGMT_MATCH

service-policy input PROD-POLICY

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.10.1

jsirstin · ‎05-27-2012

This is a basic one-armed mode config. If this fits your load balancing requirements it is a good option. Only traffic that needs to be load balanced will pass through the ACE. All direct to server or server initiated traffic will bypass the ACE. What is the reason you turned off normalization? If your servers are not pointing to the ACE as the default gateway you can probably leave this security feature enabled. When loadbalancing with this config NAT will force the server reply back to the ACE so the servers gateway can point to the same device as the ACE is using..

Regarding the Admin context; if you are only going to have one context you can do both the Administration and loadbalancing in this context for simplicity, but with multiple contexts it is a good idea to leave the Admin context for Administration only.

If you decide to add more contexts in the futrue you would just need to configure the Gig interfaces on the ACE as well as the connecting switch as trunk links.

Regards

Jim

blankguy7 · ‎06-01-2012

Thank you very much for your graceful help!

Now, it's running well...

Last but not least question: How to configure a track interface or query-interface in a ft peer or group with a vlan doesn't belong to the Admin context. It is important for us to stop the ft when the VLAN 20 is down and not only the FT VLAN 10.

IN ADMIN CONTEXT

command

ACE3/Admin(config-ft-peer)# query-interface vlan 20

Error: query vlan '20' does not exist or is FT vlan!

config

ft interface vlan 1000

ip address 10.1.1.1 255.255.255.0

peer ip address 10.1.1.2 255.255.255.0

no shutdown

ft peer 1

heartbeat interval 300

heartbeat count 10

ft-interface vlan 1000

query-interface vlan 10

ft group 1

peer 1

priority 150

associate-context Admin

ip route 0.0.0.0 0.0.0.0 192.168.10.1

context PROD

allocate-interface vlan 20

allocate-interface vlan 30

ft group 2

peer 1

priority 150

associate-context PROD

inservice

Thanks in advance

tkumarag · ‎05-24-2012

Hi

Please refer below links

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Configuration_Examples_--_Routing_and_Bridging_Configuration_Examples

Thanks

Sent from my iPhone

blankguy7 · ‎05-24-2012

Thanks tkumaraq for your answer.

In the link about "Example of a Bridged Configuration" it doesn't indicate how to configure the interface gigabit?

Best regards,

jm

Surya ARBY · ‎05-25-2012

in any way you want.

You bridge between vlan, physical interfaces are just there to carry vlans.