09-02-2009 08:35 AM
v have a 4710 appliance ad want to use it for LB
following the current setup
firewall,2950 switch, servers
firewall inside interface is connected to 2950 switch in vlan 100
all servers are connected to the same switch in vlan 100. firewall is the default gateway
we want to connect the ace appliance into this setup. dont want to use the appliance in routing mode because of the default gateway change for servers.
how to get the ace appliance work in this setup in bridge mode
i am aware there will be 2 vlans created within ace. in this case one vlan will be 100 and say second is 200
100 vlan will be facing firewall and 200 will be facing the servers
does that mean all switch ports configured for server vlan should be changed from 100 to 200
then connect one interface of ace in vlan 100 and other in 200
how will the traffic from the servers wil then reach default gateway?
there is no intervlan routing there.
09-02-2009 09:13 AM
You can set it up to bridge. Here's a link to the setup in the configuration guide.
09-03-2009 12:11 AM
thanks for the reply
question is about how to design when all firewall, ace and servers will be connected to the same switch. if ace is configured in bridge mode , it will need 2 vlans.one vlan is firewall facing and one is server facing
firewall---vlan 100---ace appliance (bridge mode) ---vlan 200----servers
all above will be connected to the same switch
what should be port config of the switch for the servers? which vlan they should be in? if they are set to vlan 200 then how will they contact theier default gateway the firewall which is vlan 100?
also how of many physical ports of ace appliance is required. is it one interface per vlan
09-03-2009 12:46 AM
The servers should be in vlan 200 and the FW in vlan 100.
These are your switch port settings.
On the appliance you bridge vlan 200 and vlan 100 using a bvi interface.
Like this, for the FW and the servers, vlan 200 and vlan 100 are the same.
Here is bridge config.
interface vlan 30
bridge-group 30
no normalization
access-group input ANY
nat-pool 1 172.16.1.1 172.16.1.1 netmask 255.255.255.255 pat
nat-pool 2 10.51.0.77 10.51.0.77 netmask 255.255.255.255 pat
service-policy input PERMIT-ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 330
bridge-group 30
no normalization
access-group input ANY
nat-pool 1 172.16.1.1 172.16.1.1 netmask 255.255.255.255 pat
nat-pool 2 10.51.0.77 10.51.0.77 netmask 255.255.255.255 pat
service-policy input PERMIT-ALL
service-policy input remote_mgmt_allow_policy
interface bvi 30
ip address 192.168.30.10 255.255.255.0
peer ip address 192.168.30.11 255.255.255.0
no shutdown
09-03-2009 05:21 AM
so i need to physically connect only interface of the ace appliance
can you please explain why nat is used?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide