06-05-2012 06:37 AM
Hello
Would someone please confirm to me that it's possible to create two BVI in the same context? Also that in order for something in BVI 10 to connect to a VIP in BVI 20 it needs to pass through the upstream FWSM?
e.g.
interface vlan 10
description Web Production DMZ Client-side
bridge-group 10
mac-sticky enable
access-group input ACL_BPDUAllow
access-group input ACL_ALLIP
access-group output ACL_ALLIP
service-policy input PM_MGT_ICMP
service-policy input PM_WEB
interface vlan 11
description Web Production DMZ Server-side
bridge-group 10
mac-sticky enable
access-group input ACL_BPDUAllow
access-group input ACL_ALLIP
access-group output ACL_ALLIP
service-policy input PM_MGT_ICMP
interface vlan 20
description App Production Zone Client-side
bridge-group 20
mac-sticky enable
access-group input ACL_BPDUAllow
access-group input ACL_ALLIP
access-group output ACL_ALLIP
service-policy input PM_MGT_ICMP
service-policy input PM_APP
interface vlan 21
description App Production Zone Server-side
bridge-group 20
mac-sticky enable
access-group input ACL_BPDUAllow
access-group input ACL_ALLIP
access-group output ACL_ALLIP
service-policy input PM_MGT_ICMP
interface bvi 10
ip address 10.10.0.2 255.255.255.0
alias 10.10.0.4 255.255.255.0
peer ip address 10.10.0.3 255.255.255.0
description Web Production DMZ SLB Bridge
interface bvi 20
ip address 10.20.0.2 255.255.255.0
alias 10.20.0.4 255.255.255.0
peer ip address 10.20.0.3 255.255.255.0
description App Production Zone SLB Bridge
We appear to be encountering an issue with a similar configuration to the above, where if something in either server VLAN (Web or App) tries to connect to a VIP in the other BVI then it doesn't traverse the upstream FWSM, it just somehow makes a direct connection which then appears to fail, I assume, due to the lack of route back?
Thanks in advance
Martin
06-05-2012 10:59 AM
Hi Martin,
Yes you can have two BVI in the same Context. Have you tried to configured a nat-pool to do source nat? It sounds like an assymetric flow
_________________________
Cesar R
06-05-2012 02:15 PM
Hi Cesar
Thanks for the reply.
I am pretty much certain that there is no asymmetric flow. The current setup is using CSM in bridged mode and we are migrating to ACE. The FWSM also shows hits in the current setup between Web and App zones.
My colleague found this post which seems to have been an identical issue.
https://supportforums.cisco.com/message/3137301
However there is no explanation as to why we would need to apply the service-policy on the server side of the second BVI. It does appear to have fixed the issue, but there is no real explanation as to why it would.. it seems nonsensical. Any comments or understanding to share on this method?
We have used NAT previously for servers which need to call the a client side VIP, but this is only applicable when there is one BVI not two. It should route, via FWSM?
Thanks
Martin
06-08-2012 02:59 PM
Hi Martin,
The traffic will enter the ACE on BVI20 so we need to match the traffic at that moment, otherwise the ACE is not going to have a hit in the VIP. That is the reason
06-08-2012 03:29 PM
Hi Cesar
I'm still confused... If I had a switch with two VLANs with a firewall being the device routing between the two VLANs, I would expect that traffic from one VLAN would need to route through the firewall to reach the other. For ACE this doesn't seem to be the case, I'm unclear why it's allowed to shortcut the firewall?
For example I could be running different types or inspection on my "firewall", which this traffic would then be allowed to circumvent it.
Thanks
Martin
06-09-2012 01:09 PM
Hi Martin,
Please read below.
By default, the ACE does not allow traffic from one context to another context over a transparent firewall. The ACE assumes that VLANs in different contexts are in different Layer 2 domains, unless it is a shared VLAN. The ACE allocates the same MAC address to the VLANs.
When you are using a firewall service module (FWSM) to bridge traffic between two contexts on the ACE, you must assign two Layer 3 VLANs to the same bridge domain. To support this configuration, these VLAN interfaces require different MAC addresses.
To enable the autogeneration of a MAC address on a VLAN interface, use the mac address autogenerate command in interface configuration mode. The syntax of this command is as follows:
mac address autogenerate
For example, enter:
host1/Admin(config-if)# mac address autogenerate
Hope that helps.
regards,
Ajay Kumar
06-09-2012 01:47 PM
Hi Ajay
I understand this, but I am talking about two BVI in the same context with a FWSM operating at layer 3 (not transparent)
In my example I have FWSM interfaces:
VLAN 10 - ip address 10.10.0.1 255.255.255.0
VLAN 20 - ip address 10.20.0.1 255.255.255.0
With BVI 10 and 20 relating to the above. The link I posted previously says...
If I have something on the server side of VLAN 20 which wishes to call a VIP in the VLAN 10 IP range, then it is necessary to apply the service-policy for the VIP in VLAN 10 to the server side interface of VLAN 20. This means the VIP is in a completely different IP subnet from that assocsiated with the BVI. It also means the traffic doesn't pass through my routed FWSM but means the traffic hops from one BVI to another on the ACE?
Thanks
Martin
06-09-2012 02:53 PM
Yes true. When you apply policy to a particular VLAN it advertises its VIP over that vlan and start listening for that VIP.
You can have the same VIP listening on multiple VLAN.
I will try to get an example but you are in right direction.
ACE acts as a patch of two vlans.
Ideally if you are designing FWSM with L3 mode. It should be like this
Client VLAN >> (Firewall VLAN ---- ACE VLAN) -- common vlan >> Server VLAN
Say VLAN 30 >> VLAN 20 >> VLAN 10
If you are trying to Publish a VIP which belongs to VLAN 20 to VLAN 10. ACE will start listening to VIP on this VLAN and then any packet coming to that VLAN will match the class map and policy and the load balancing decision will be taken based on that.
I know you will say that how two different subnet will communicate but in this case server will send any packet to default gateway which is ACE and ACE knows it is suppose to listen for that VIP on VLAN 10.
If you are worried about security then remember Client traffic cannot bypass the firewall. It is just the server traffic which is bypassing the firewall which is already in the trusted zone.
Hope that helps.
regards,
Ajay Kumar
06-09-2012 03:34 PM
Hi Ajay
I have drawn a diagram to try and help. On the left I have what I would expect, if a server in VLAN21 wanted to call a VIP in VLAN10 I would expect it would use it's default gateway to route to the FWSM, pass through the firewall and then hit the VIP using the client side VLAN10. What I have read and what appears to work is that you must apply the service policy, including the VIP for VLAN 10, on the server side of the other BVI in this case VLAN 21. In this case I do not believe the traffic has to pass through the FWSM to get from the server in VLAN21 to the VIP originally in VLAN10 and onward to the servers hosted in VLAN11?
Please note both BVI and all four VLAN are in the same ACE context.
Thanks
Martin
06-11-2012 12:33 AM
Question : I would expect, if a server in VLAN21 wanted to call a VIP in VLAN10 I would expect it would use it's default gateway to route to the FWSM
Answer: If the default gateway on servers in vlan21 is pointing to ACE. This is not going to happen. If the default gateway is pointing to FWSM then only the way you expect will work.
Usually when the ACE is in routed mode all the server point it's default gateway to ACE. In that case if the packet reach on ACE ( default gateway) looking for a virtual IP then it will process the packet for that VIP instead of forwarding it to FWSM.
Question : What I have read and what appears to work is that you must apply the service policy, including the VIP for VLAN 10, on the server side of the other BVI in this case VLAN 21. In this case I do not believe the traffic has to pass through the FWSM to get from the server in VLAN21 to the VIP originally in VLAN10 and onward to the servers hosted in VLAN11?
Yes your understanding is correct the traffic will not pass through FWSM. It will go straight to the ACE and ACE will load balance the traffic to VLAN 11.
Thats the reason why you apply policy on VLAN 21 as well. So that packet will be matched on vlan21 and load balancing decision will be taken.
Hope that helps
regards,
Ajay Kumar
06-11-2012 01:58 AM
HI Ajay
The servers in VLAN21 do have their default gateway pointing at FWSM.
It seems like the use of the service-policy on VLAN21 to load balance to servers in VLAN11 is just the way it can work... I understand that this configuration works on the ACE.
What I guess my question is now:
Is applying the service-policy to VLAN21 the only way to have it work or will the traffic passing (bridged) through BVI20 upto FWSM and routed down to VLAN10 to hit the service-policy work also? I ask as we've been unable to get this second option, and the way I'd prefer it to work, working?
Many Thanks
Martin
06-11-2012 02:34 AM
Is applying the service-policy to VLAN21 the only way to have it work or will the traffic passing (bridged) through BVI20 upto FWSM and routed down to VLAN10 to hit the service-policy work also? I ask as we've been unable to get this second option, and the way I'd prefer it to work, working?
Ideally it should work that way as well. The idea is the packet should reach the ACE on VLAN 10.
If the FWSM is able to NAT it and forward to ACE it should work.
few things to check.
1) Check if the packet is going to FWSM or not. Access list or capture on firewall will show it.
2) Check if FWSM is natting the packet to VIP ip or not? ( Check if NAT is configured for that subnet range)
If the packet is getting natted and reaching ACE it should work.
regards,
Ajay Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide