Solved: load balancing remote servers on a bridge mode context

axfalk · ‎05-06-2014

We need to load balanced a couple of remote servers on an existing context that had been configured in a bridged mode. Considering ACE can't SNAT bridged traffic, are there any other ways to accomplish that?

Running Version A5(2.1) on the ACE..

Thanks.

Greg..

Kanwaljeet Singh · ‎05-06-2014

Hi Greg,

The ACE can source NAT the traffic as long as it his the VIP. ACE cannot do the same for pass-through traffic as it does in routed mode.

Also, if SNAT is configured in bridge mode a layer 7 policy map is required. For more details, please visit the below link:

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/rtg_brdg/guide/rtbrgdgd/bridge.html

Regards,

Kanwal

View solution in original post

Kanwaljeet Singh · ‎05-06-2014

Hi Greg,

The ACE can source NAT the traffic as long as it his the VIP. ACE cannot do the same for pass-through traffic as it does in routed mode.

Also, if SNAT is configured in bridge mode a layer 7 policy map is required. For more details, please visit the below link:

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/rtg_brdg/guide/rtbrgdgd/bridge.html

Regards,

Kanwal

axfalk · ‎05-06-2014

hey Kanwal, appreciate the response. Could you please clarify why configuring the SNAT is different in bridge mode that routed?

thanks again..

_Greg

Kanwaljeet Singh · ‎05-06-2014

Hi Greg,

SNAT configuration is similar. In bridge mode the ACE acts a bump in the wire for same subnet or you can say as a switch. It just takes the traffic from one VLAN and bridges it to another(same subnet). When deploying ACE in bridge mode you don't need to change default gateway on the servers etc. Routed mode treats ACE as a HOP in the path and routes the traffic from one subnet to another (can be one subnet as in one arm mode), that's the reason it can do NAT for normal traffic going through it whereas in bridge mode ACE just acts as a bridge(L2 for same subnet) and cannot do the same.

Regards,

Kanwal

axfalk · ‎05-07-2014

kk..thanks..but SNAT is done at layer 3 as it rewrites the IP address in the packet. So, how ACE is able to do the same at layer 2? also, why do we need to have a transparrent server at Layer 7 policy for this to work?

Thanks again.

_ Greg

Kanwaljeet Singh · ‎05-08-2014

Hi Greg,

Source NAT is only for traffic that matches the conditions and traffic comes to ACE for loadbalancing. Bridge mode is how you deploy it. ACE still perform Layer4-Layer7 inspections, NAT, SSL etc.

So bridge mode is convenient in cases where you don't need to change the set up like changing default gateway of servers etc. You just need to change VLANS and introduce ACE. ACE will switch the traffic from client to server vlan for same subnet. For all the other traffic like let's say few clients accessing the servers directly for management/maintenance(not coming to VIP) will do without any problems because for them ACE is just like a switch.

A similar discussion regarding bridge and routed mode:

https://supportforums.cisco.com/discussion/11041321/ace-4710module-routed-vs-bridged-mode

Transparent serverfarm is not needed for source nat. That is just an example. It is needed in cases where you don't want the ACE to rewrite the destination IP to real server IP. Basically, in those case ACE doesn't see both legs of the connections. You can read about direct server return and it's details.

Something more related to bridge mode:

http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Bridged_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example

Regards,

Kanwal