Showing results for 
Search instead for 
Did you mean: 

configuring ACE for Virtual Servers


We are configuring ace module for load balancing of two real servers in bridged mode. The real servers are actually virtual machines. Before loadbalancing configuration the physical server was connected to MSFC with actual vlan 47. the virtual servers having IP add of vlan 47 subnet. As we are configuring the ace in bridged mode so the client facing & server facing vlan will be different & it is bridged in the ace. But the problem is all the virtual server in the physical machine are not going to be load balanced. For this what the server team did is they provided one additional SEA(shared etherchannel adapter) in the physical server & connected directly to the MSFC. We assigned that interfaces with the bridged vlan. After doing this the following problems we faced:

1. the real server was not reachable

2. once the interfaces are put back in the actual vlan it became reachable.

3. The VIP is operational but all the connections are getting dropped.

4. Though the real servers are reachable with the ports configured in ace but the VIP still we are unable to access by the VIP.

Can anybody give us some solution on this issue. If any clarification required pls let me know.

Thanks in advance



8 Replies 8


Could you add the config of the context?

The first thought on this is what is permitted in your access list?

Gilles Dufour
Cisco Employee
Cisco Employee


if your servers can bypass the ACE to reach their gateway, the response will never go through ACE and it will be ignored by the client because not coming from the vip.

So, you need your rserver to only share a vlan with the ACE module ie: vlan 47.

interface vlan 47 should NOT exist on the MSFC.

Instead create an interface with a different vlan.

Configure the ace module with the same vlan interface and bridge this new vlan with vlan 47.



Thanks for your response. But I beleive the ace configuration is ok. You can see the config file hereby attached.

The problem is the same concept works very fine with physical servers. Like the server facing vlan is 447 & client facing vlan is 47. vlan 47 interface is available in fwsm ( not in MSFC ) & interface BVI is in ace. both vlan 447 & 47 are bridged in ace. The probelm is when this concept is applied to virtual servers which are inside a physical server. suppose the physical server is not going to take part in the load balancing activity. But only the virtual servers are going to take part.

What the server people did in their part is they configured one SEA(shared etherchannel adapter for the virtual servers)which is a bundle of 2x1G access ports accessing vlan 447(server side vlan).

rserver is ESB-test & serverfarm is TEST80 & TEST443.

If you need any further information pls let me know.

Hi All,

Looking for anybody experienced this kind of scenario.

Pls let me know if anybody has gone through or any idea about this.

Thanks & Regards


You will have to take a sniffer trace and see what is going on.

if it works with a physical server, it means the ACE config is correct.

The problem is probably your virtual server is not configured to use vlan 447.

Again, get a sniff to be sure.

I'm using VMWare in my lab - so 1 Physical server and many virtual server. It works.

For ACE itself it does not matter what kind of server it is.

The ace device only look at network traffic and just expect to see the response coming back to it.



Thanks for your valuable response.

You are very much right tha if it is working for physical servers it should also work for virtual servers as well.

The thing is as per server team they have allocated one SEA(shared Ethernet Adapter) dedicated for the servers to be load balanced & the nothing is configured at server side for vlan tagging. The vlan tagging only configured at the switch end( the switch port only configured to access vlan 447.) So you mean to say the vlan tagging also has to be configured at the server end too?

Waiting for you reply.

Thanks & Regards



If the server is not configured for VLAN tagging, and indeed the logical switch correctly configred to present the right VLANs to the right servers, then the VLAN traffic will not make it to the virtual server you need it to get to. Think of it as like setting up two switches, one forced to trunk, one forced to access mode.

Depending upon what the server does, I can see two main scenarios. It can ignore the tags but read the raffic, in which case responses will appear on the native VLAN, or it can ignore any tagged traffic, in which case the virtual servers will only see traffic sent on the native VLAN.


my VMWare server is configured for vlan tagging. This is how I make it work.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers