07-14-2010 04:06 AM
Hello
I've configured the ACE with two bridge-groups bvi1 and bvi2. I have a VIP configured in the bridge-group1 which is available from the outside network, but it is inaccessible from the host in the subnet behind the bridge-group2.When I do the same test with the rserver ip address it works.
Does such communication is allowed through the ACE and if yes how I can configure it.
My config looks like that
access-list any line 8 extended permit ip any any
access-list any line 16 extended permit icmp any any
access-list nat line 8 extended permit ip host 10.0.100.1 any
rserver host R1
ip address 192.168.13.101
inservice
rserver host R2
ip address 192.168.202.99
inservice
serverfarm host S1
rserver R1 8080
inservice
class-map match-any L4
2 match virtual-address 192.168.13.200 tcp eq www
policy-map type loadbalance http first-match L7
class class-default
serverfarm S1
policy-map multi-match L4
class L4
loadbalance vip inservice
loadbalance policy L7
loadbalance vip icmp-reply
interface vlan 200
bridge-group 1
access-group input any
access-group output any
service-policy input L4
no shutdown
interface vlan 201
bridge-group 1
access-group input any
access-group output any
no shutdown
interface vlan 202
bridge-group 2
access-group input any
access-group output any
no shutdown
interface vlan 203
bridge-group 2
access-group input any
access-group output any
no shutdown
interface bvi 1
ip address 192.168.13.5 255.255.255.0
no shutdown
interface bvi 2
ip address 192.168.202.5 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.13.3
ip route 0.0.0.0 0.0.0.0 192.168.202.3
Client 192.168.202.99 is trying to access the VIP (192.168.13.200).
What is more I am wondering how ace works with the two def gw. Is such communication secure enough ?
switch/test(config)# do sh ip route
Routing Table for Context test (RouteId 2)
Codes: H - host, I - interface
S - static, N - nat
A - need arp resolve, E - ecmp
Destination Gateway Interface Flags
------------------------------------------------------------------------
0.0.0.0 192.168.202.3 vlan202 SE [0x4c]
0.0.0.0 192.168.13.3 vlan200 SE [0x4c]
192.168.13.0/24 0.0.0.0 bvi1 IA [0x30]
192.168.202.0/24 0.0.0.0 bvi2 IA [0x30]
Thank you in advance
Lukas
07-19-2010 06:55 AM
configure your service policy - service-policy input L4 - under the bridge-group2 inbound interface.
Gilles.
08-18-2010 01:34 PM
Hello
I apologize that I answer so late but I was on holidays.
I've configured the service-policy L4 under the interface vlan 203, but it had not helped.
I am attaching the current config (a bit modified from the last config)
Do you know what else can I do ?
Thank you in advance
Lukas
08-18-2010 04:08 PM
do you have any hits on that policy when you try to connect from vlan 203 ?
Do a 'show service-policy' to verify and send me the result.
Gilles.
08-22-2010 11:25 PM
Hi
I double-checked it and it worked. Previously I had checked it by icmp to the VIP, and this time I checked it with http/https connection.
I still could not ping the VIP ip address from the 192.168.202.99 real server although the feature "loadbalance vip icmp-reply" is configured correctly in the policy-map.
Regards
Lukas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide