08-29-2014 10:27 AM
We're running ACE A5(2.1) and have a server on a load balancing vlan in a bridge context that needs to initiate connections. Unlike servers in the routed contexts, where we had to SNAT their connections with the VIP, the client side and server side subnets in a bridge context are the same. Yet, we still can't ping a device outside of the ACE from that server in a bridge context.
Do we still need to add an input service policy to the server side interface for the servers to initiate connections? I am listing the 2 interfaces for your review:
interface vlan 1111
description vip vlan
bridge-group 1
mac-sticky enable
no icmp-guard
access-group input bpdu
access-group input any
access-group output any
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input VLAN102-VIPS
no shutdown
interface vlan 9030
description server vlan
bridge-group 1
mac-sticky enable
no icmp-guard
access-group input bpdu
access-group input any
access-group output any
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
Thanks
_Greg
Solved! Go to Solution.
08-30-2014 06:48 AM
Hi Greg,
There is not much difference between bridge mode and routed mode except that you cannot NAT the pass through traffic in bridge mode but if server need to access the VIP, you do need to do source NAT. For any other traffic you just need to allow the traffic using access-list and it should work fine.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
08-29-2014 12:38 PM
Hi Greg,
You would need to do the SRC NAT as well as apply service-policy on the server side interface. Please have a look at the links below for similar discussions:
https://supportforums.cisco.com/discussion/10495016/connections-dropping-bridge-mode
https://supportforums.cisco.com/discussion/11193166/ace-dropped-conns-problem-bridged-mode
Regards,
Kanwal
Note: Please mark answers if they are helpful.
08-29-2014 04:55 PM
Hey Kanwal,
As always, thanks for your response. However, in this case, the context is in the bridge mode, so the default gateway for that real server would be the layer 3 upstream switch. As such, the ACE should not be in the path, should it?
Thanks again.
_ Greg
08-30-2014 06:48 AM
Hi Greg,
There is not much difference between bridge mode and routed mode except that you cannot NAT the pass through traffic in bridge mode but if server need to access the VIP, you do need to do source NAT. For any other traffic you just need to allow the traffic using access-list and it should work fine.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide