Solved: ACE FT multi-context bridged VLANs

David Niemann · ‎09-19-2013

I have two ACE30 modules in 6509 VSS. Each one will have three contexts (default Admin, DMZ and INSIDE). I have created VLAN 100 and 110 for the bridged VLANs in the DMZ context and 200 and 210 for the bridged VLANs on the INSIDE context. I want to configure failover and am trying to figure out the appropriate configuration. The documentation discusses this in a single context with either bridging or routing. I have additionally created a VLAN 135 that is to be used for the FT link. Do I configure the peer and group information on the Admin context or the individual context and do I only monitor the BVI interface or the actual VLANs themselves? I want to use Active/Active with DMZ primary being on peer1 and the INSIDE primary being on peer2.

I have the config below in the Admin context

ft interface vlan 153
ip address 172.30.0.137 255.255.255.252
peer ip address 172.30.0.138 255.255.255.252

context DMZ

allocate-interface vlan 100

allocate-interface vlan 110

member 15-plus

context INSIDE

allocate-interface vlan 200

allocate-interface vlan 210

member 15-plus

On the DMZ context I have this

interface vlan 100
bridge-group 1
access-group input BPDU
access-group input ANYONE
interface vlan 110
bridge-group 1
access-group input BPDU
access-group input ANYONE

interface bvi 1
ip address 172.31.0.147 255.255.255.0
alias 172.31.0.149 255.255.255.0

ajayku2 · ‎09-20-2013

Hi,

Do I configure the peer and group information on the Admin context or the individual context ?

The FT is always configured in the Admin context.

You can monitor the vlan towards gateway.

Below is a document which explains it well :

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_Administrative_Configuration_Examples

Config extracted from above link :

----------------------------------------

ft interface vlan 200
  ip address 192.168.1.1 255.255.255.0
  peer ip address 192.168.1.2 255.255.255.0
  no shutdown

ft peer 1
  ft-interface vlan 200
  heartbeat interval 300
  heartbeat count 10
  query-interface vlan 100

ft group 1
  peer 1
  priority 200
  associate-context testcontext   <<<< You always associate the context >>>>>>
  inservice

ft track interface TRACK_VLAN100
  track-interface vlan 100
  peer track-interface vlan 200
  priority 50
  peer priority 5

Hope that helps.

regards,

Ajay Kumar

regards,

Ajay Kumar

View solution in original post

ajayku2 · ‎09-20-2013

Hi,

Do I configure the peer and group information on the Admin context or the individual context ?

The FT is always configured in the Admin context.

You can monitor the vlan towards gateway.

Below is a document which explains it well :

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_Administrative_Configuration_Examples

Config extracted from above link :

----------------------------------------

ft interface vlan 200
  ip address 192.168.1.1 255.255.255.0
  peer ip address 192.168.1.2 255.255.255.0
  no shutdown

ft peer 1
  ft-interface vlan 200
  heartbeat interval 300
  heartbeat count 10
  query-interface vlan 100

ft group 1
  peer 1
  priority 200
  associate-context testcontext   <<<< You always associate the context >>>>>>
  inservice

ft track interface TRACK_VLAN100
  track-interface vlan 100
  peer track-interface vlan 200
  priority 50
  peer priority 5

Hope that helps.

regards,

Ajay Kumar

regards,

Ajay Kumar