04-03-2009 08:32 AM
Hi,
the customer has ACE with version 2.1.2. He has configured ACE context for bridging:
logging enable
logging console 7
logging buffered 7
switch-mode
access-list acl-bridge line 5 extended permit ip any any
probe tcp PR_Test
interval 300
passdetect interval 8
open 2
rserver host SR-Test
ip address 172.17.249.21
inservice
serverfarm host SF-Test
probe PR_Test
rserver SR-Test
inservice
class-map match-all VIP-Test-Class
2 match virtual-address 172.17.249.20 tcp eq www
policy-map type loadbalance first-match VIP-Test-MapL7
class class-default
serverfarm SF-Test
policy-map multi-match Test-MapL4
class VIP-Test-Class
loadbalance vip inservice
loadbalance policy VIP-Test-MapL7
loadbalance vip icmp-reply active
interface vlan 217
bridge-group 17
access-group input acl-bridge
access-group output acl-bridge
service-policy input Test-MapL4
no shutdown
interface vlan 218
bridge-group 17
access-group input acl-bridge
access-group output acl-bridge
no shutdown
interface bvi 17
ip address 172.17.249.18 255.255.255.240
no shutdown
on the Cat6500
interface Vlan217
ip vrf forwarding dmz
ip address 172.17.249.17 255.255.255.240
end
The server has Default GW: 172.17.249.17
I think that the configuration is right. When he test it - the direct access on the server is working, but the load-balancing on the VIP address doesn't work:-( He has to add default route for enabling load-balancing function (ip route 0.0.0.0 0.0.0.0 172.17.249.17). So where is problem??? I think that the default route is not neccessary, because it is L2 topology and ACE only bridge between vlans!! The server has default GW on the Cat6500. Thank you. Roman
Solved! Go to Solution.
04-07-2009 11:17 PM
You can create static arp entries for the gateway.
Or configure the gateway as rserver.
The thing is we need to see the mac-address for the source of the traffic in our arp table.
But before testing anything in the dark, get the commands I asked for to verify this is the problem and not something else.
Gilles.
04-05-2009 02:08 PM
Hi Roman
Have you assigned the vlans on the 6500 to the ace module?
I have something like this on my configs:
svclc autostate
svclc multiple-vlan-interfaces
svclc vlan-group 1 27,28,40
svclc vlan-group 2 310,311,312
svclc vlan-group 3 10,11,12
firewall module 1 vlan-group 1,2
svclc module 2 vlan-group 2,3
(module 1 is a fwsm and module 2 is the ace).
Have a check there if you think your config is ok. Have a look at the attached cisco guide for configuring the ace in bridge mode.
Cameron
04-05-2009 11:23 PM
Hi,
thank you for your answer and the configuration guide. The customer has configured svclc groups. So there is not a problem with vlan - he can direct connect to the servers without load-balancing. The load-balancing is working only when the default route is configured on the ACE. But I think that the load-balancing has to work without the default route!!! Because this is the L2 solution. When the customer will have for example three BVIs and three VIPs from these three IP subnets - so three default routes will be configured for LB!!! It is not possible:-(
04-06-2009 01:36 AM
Hi,
maybe a dumb question, but your server its port is configured in vlan 218?
04-06-2009 03:38 AM
do a 'show np 1 me-stat "-socm"'.
Check if the following counter increments :
Drop [mac lookup fail]: 0 0
Drop [route lookup fail]: 0 0
Also do the following :
switch/Admin# sho np 1 me-stats "-sicm -v" | i look
If lookup error: 0 0
encap lookup error: 0 0
Route lookup Error: 0 0
ACE should have a static route because it needs to know the source of the traffic.
If you later on switches to L7 loadbalancing it will also need a static route.
So, better configure one.
Gilles.
04-06-2009 06:03 AM
Thank you. I tried these show commands.
About static route -
When I will have this configuration:
interface bvi 17
ip address 172.17.249.18 255.255.255.240
interface bvi 18
ip address 172.18.249.18 255.255.255.240
interface bvi 19
ip address 172.19.249.18 255.255.255.240
class-map match-all VIP-Test-Class
2 match virtual-address 172.17.249.20 tcp eq www
class-map match-all VIP-Test-Class1
2 match virtual-address 172.18.249.20 tcp eq www
class-map match-all VIP-Test-Class2
2 match virtual-address 172.19.249.20 tcp eq www
which default route I will have to configure??
ip route 0.0.0.0 0.0.0.0 172.17.249.17 or
ip route 0.0.0.0 0.0.0.0 172.18.249.17 or
ip route 0.0.0.0 0.0.0.0 172.19.249.17
Thank you
Roman
04-06-2009 12:11 PM
You need all 3 of them.
We're not using them to route but just to verify the source of the traffic.
Gilles.
04-07-2009 11:17 AM
is possible to disable the verification of the source of traffic on the ACE module?
04-07-2009 11:17 PM
You can create static arp entries for the gateway.
Or configure the gateway as rserver.
The thing is we need to see the mac-address for the source of the traffic in our arp table.
But before testing anything in the dark, get the commands I asked for to verify this is the problem and not something else.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide