Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Routed or bridge

I have a situation where clients and server could be in the same subnet, AND/OR client and server could be in different subnets, kind of mixed mode environment. My question, can ACE be configured as both Routed and Bridge mode at the same time, if yes then how (may be for some servers as routed, and for some servers as bridge)? Dont want to go in multiple contexts, same servers...

Folks say that for ACE module the best method is routed mode? true? if yes then why?

And what is the best place for ACE, behing MSFC, or infront of MSFC.. which cases???

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Routed or bridge

There is not a single answer for the routed vs bridged vs One arm mode selection for ACE deployment. It really depends on your environment.

for example

If you need multicast for your servers then routed mode will not work.

If you run MST then bridge mode is not a preferred soltution.If you want to log the client IP addresses then you cannot implement One arm mode with source NAT.

If bulk of your data is non-balanced traffic (like direct server access/ SAN traffic)... then One Arm is recommended as it will not eat up ACE resources.

Performance vise you can expect same L4/L7 performance regardless of the LB mode (routed/bridge/one-arm).

Also from a load balancing perspective there is no difference in terms of functionality

So Its totally a matter of personal preference. There are few design constraints which in some cases dictate the routed/bridge mode selection. For example some client do not want to make any changes to the servers

(like default gateways pointing to any L3 device) In this case we cannot introduce Routed mode and bridge mode is the only logical option.

Personally if its a new deployment I (again personally) prefer Routed mode due to these reasons

1. I like the Layer 3 boundary between client request and server response. This seperation makes it easy to debug & trouble shoot.

2. There are no possibiliy of STP loops. (Remember that when you are running ACE in bridge mode you have to pass the STP BPDUs through the ACE such that the client side VLAN & Server side vlan has

a single STP domain.)

3. Bridge mode has some limitations in performing NAT for Non-Loadbalanced Traffic (No issue with load balanced traffic). (There are workarounds available to fix that). Routed mode has no such limitation.

Placing an ACE before/after MSFC is also dependent on the topology.Since Client traffic reaches ACE via switch, In most of the cases its placed after MSFC, HSRP IP address of MSFC is the default gateway defined on ACE.

HTH

Syed Iftekhar Ahmed

Syed

3 REPLIES

Re: Routed or bridge

Its possible to mix routed & bridged mode in both multiple context mode

(where one context in bridged & other is routed)

& single context as well.

The only limitation is that a vlan that is in a BVI (L2 mode) can't exist in 2 different contexts.

For e.g in following example vlan 100 & 101 are bridged & Vlan 200 & 201 are routed

interface vlan 100

bridge-group 1

access-group input BPDU

access-group input ANYONE

service-policy input MGMT

service-policy input VIPs-Vlan100

no shutdown

interface vlan 101

bridge-group 1

access-group input BPDU

access-group input ANYONE

service-policy input MGMT

no shutdown

interface vlan 200

ip address 10.2.2.1 255.255.255.0

peer ip address 10.2.2.2 255.255.255.0

alias 10.2.2.3 255.255.255.0

access-group input ANYONE

service-policy input VIPs-Vlan200

no shutdown

interface vlan 201

ip address 172.2.2.1 255.255.255.0

peer ip address 172.2.2.2 255.255.255.0

alias 172.2.2.3 255.255.255.0

access-group input ANYONE

no shutdown

interface bvi 1

ip address 10.10.10.1 255.255.255.0

peer ip address 10.10.10.2 255.255.255.0

alias 10.10.10.3 255.255.255.0

no shutdown

Syed Iftekhar Ahmed

Community Member

Re: Routed or bridge

Thanks Iftekhar for the comprehensive detail...

Can you please answer the next questions as well?

Folks say that for ACE module the best method is routed mode? true? if yes then why?

And what is the best place for ACE, behing MSFC, or infront of MSFC.. which cases???

Re: Routed or bridge

There is not a single answer for the routed vs bridged vs One arm mode selection for ACE deployment. It really depends on your environment.

for example

If you need multicast for your servers then routed mode will not work.

If you run MST then bridge mode is not a preferred soltution.If you want to log the client IP addresses then you cannot implement One arm mode with source NAT.

If bulk of your data is non-balanced traffic (like direct server access/ SAN traffic)... then One Arm is recommended as it will not eat up ACE resources.

Performance vise you can expect same L4/L7 performance regardless of the LB mode (routed/bridge/one-arm).

Also from a load balancing perspective there is no difference in terms of functionality

So Its totally a matter of personal preference. There are few design constraints which in some cases dictate the routed/bridge mode selection. For example some client do not want to make any changes to the servers

(like default gateways pointing to any L3 device) In this case we cannot introduce Routed mode and bridge mode is the only logical option.

Personally if its a new deployment I (again personally) prefer Routed mode due to these reasons

1. I like the Layer 3 boundary between client request and server response. This seperation makes it easy to debug & trouble shoot.

2. There are no possibiliy of STP loops. (Remember that when you are running ACE in bridge mode you have to pass the STP BPDUs through the ACE such that the client side VLAN & Server side vlan has

a single STP domain.)

3. Bridge mode has some limitations in performing NAT for Non-Loadbalanced Traffic (No issue with load balanced traffic). (There are workarounds available to fix that). Routed mode has no such limitation.

Placing an ACE before/after MSFC is also dependent on the topology.Since Client traffic reaches ACE via switch, In most of the cases its placed after MSFC, HSRP IP address of MSFC is the default gateway defined on ACE.

HTH

Syed Iftekhar Ahmed

Syed

560
Views
4
Helpful
3
Replies
CreatePlease to create content