design question: ACE module connected to 2 different L3 engine w

RAMAN AZIZIAN · ‎10-08-2011

fellow engineers,

i have been working on a design model , where the ACE mldule will provide SLB for both virtual and real servers. we have been deploying several UCS systems and the customer would like to use the ACE as our Enterprise SLB layer

configured in bridcge mode.

the msfc within the 6509 provide the L3 routing. however we may extends multiple vlans (v160-v163) via nexus switch layer (7k,5k,2k) to a FW appliance which now is the svi interface for the extended vlans. these vlans will be configured on a dedicated context.

the extension is based on the bridge mode operation as follow:

need help with the following:

1) if i have 4 bvi's configured, do i need to have default route configured?

2) my total count for vlans are: v160-v163 for server vlans, and v101 is the management vlan. the svi for this vlan is on the msfc card. the server GW are pointing to each dedicated svi's on the FW+L3 apliance.

3) if my default route on the context is pointing to the v160 svi on the FW+L3 engine, will that prevent the return traffic for other vlans ( v161-v163) from the ace toward the client?

4) is default route neccessary if you hae the ace in bridge mode.

it was brought to my attention that if you have multiple vlans configured in bridge mode pointing to another L3 engine, then each vlan would have to be configured on seperate context since you can only have one default route per context.

i appreciate any feedback on this inquiry. if you need additional information please le me know.

thanks and best regards,

raman azizian

mruuth · ‎10-10-2011

Hi Raman,

You can have up to eight default routes in one context. What the ACE is doing with the entries is to create a ARP-entry with the name GATEWAY. If you need more then eight entries, just declare gateway as rservers. In that case the ARP-entry is stored as RSERVER instead of GATEWAY. The trick is to tell ACE to learn the MAC-address for the IP-address and store it int the ARP-table. The ACE never learn for itself a MAC-address. Don't forget mac-sticky enable on vlan's facing gateway.

I'm running one context in bridge mode and have 18 bvi's with FW and Router 6509 as gateways.

Exampel:

Interface to ROUTER 6509

interface vlan 300

bridge-group 300

no normalization

mac-sticky enable

access-group input BPDU

access-group input alla

access-group output alla

service-policy input lb-int-vlan300

no shutdown

rserver host 300GATEWAY

ip address 164.135.121.47

inservice

A#1/prod1# sho arp | i 164.135.121.47

164.135.121.47 00.08.e3.ff.fc.14 vlan300 RSERVER 4775 239 sec up

A#1/prod1#

Interface to FIREWALL

interface vlan 802

bridge-group 802

no normalization

mac-sticky enable

access-group input BPDU

access-group input alla

access-group output alla

service-policy input lb-int-vlan802

no shutdown

rserver host 802GATEWAY

ip address 192.168.137.1

inservice

192.168.137.1 00.23.33.6a.bf.80 vlan802 RSERVER 4785 5 sec up

Regards

Mats

design question: ACE module connected to 2 different L3 engine while in bridge mode