Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
538
Views
0
Helpful
3
Replies

initiating connections from the servers behind the ACE in a bridge context

Go to solution
axfalk
Level 1
Level 1

‎08-29-2014 10:27 AM

We're running ACE A5(2.1) and have a server on a load balancing vlan in a bridge context that needs to initiate connections. Unlike servers in the routed contexts, where we had to SNAT their connections with the VIP, the client side and server side subnets in a bridge context are the same. Yet, we still can't ping a device outside of the ACE from that server in a bridge context. 

Do we still need to add an input service policy to the server side interface for the servers to initiate connections? I am listing the 2 interfaces for your review:

interface vlan 1111
  description vip vlan
  bridge-group 1
  mac-sticky enable
  no icmp-guard
  access-group input bpdu
  access-group input any
  access-group output any
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input VLAN102-VIPS
  no shutdown


interface vlan 9030
  description server vlan
  bridge-group 1
  mac-sticky enable
  no icmp-guard
  access-group input bpdu
  access-group input any
  access-group output any
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
 

Thanks

_Greg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to axfalk

‎08-30-2014 06:48 AM

Hi  Greg,

There is not much difference between bridge mode and routed mode except that you cannot NAT the pass through traffic in bridge mode but if server need to access  the VIP, you do need to do source NAT. For any other traffic you just need to allow the traffic using access-list and it should work fine.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎08-29-2014 12:38 PM

Hi Greg,

You would need to do the SRC NAT as well as apply service-policy on the server side interface. Please have a look at the links below for similar discussions:

https://supportforums.cisco.com/discussion/10495016/connections-dropping-bridge-mode

https://supportforums.cisco.com/discussion/11193166/ace-dropped-conns-problem-bridged-mode

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

Go to solution
axfalk
Level 1
Level 1
In response to Kanwaljeet Singh

‎08-29-2014 04:55 PM

Hey Kanwal,

As always, thanks for your response. However, in this case, the context is in the bridge mode, so the default gateway for that real server would be the layer 3 upstream switch. As such, the ACE  should not be in the path, should it?

Thanks again.

 

_ Greg

0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to axfalk

‎08-30-2014 06:48 AM

Hi  Greg,

There is not much difference between bridge mode and routed mode except that you cannot NAT the pass through traffic in bridge mode but if server need to access  the VIP, you do need to do source NAT. For any other traffic you just need to allow the traffic using access-list and it should work fine.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents