Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1370
Views
0
Helpful
7
Replies

ACE in bridge-mode need static IP routes?

lacirasella
Level 1
Level 1

‎01-21-2011 07:35 AM

Hi,

i'm trying to configure FIREWALL load-balancing via ACE in L2 mode, and

there is something i don't understand.

"client 1" ping "client 2", trace shows

- the ping crossing MSFC

- arriving on ACE via VLAN 10

- existing via ACE VLAN 11

- ping reach the FW1 on vlan 11 and exit FW1 on VLAN 21

- finally we see the ping on ACE on VLAN 21 but never exit on VLAN 20

     client 1

         |

     MSFC 1

         |              VLAN 10

       ACE

         |

     ------------       VLAN 11

    |            |

FW1      FW2

    |            |

     ------------       VLAN 21

         |

      ACE

         |              VLAN 20

     MSFC 2

        |

    client 2

unless i set a "IP route"  on ACE to reach the destination subnet (client 2) to MSFC 2

the ping doesn't work.

At this point, what i don't understand is why i have to put an IP route in bridge mode?

i try specificaly this ACE configuration mode to not set all the IP route in L3 mode!!!

Do someone see where i'm wrong?

Last point, here is what the service-policy apply to VLAN 21 shows when the route doesn't exist:

LAB-DC1-CE-PE1-ACE/C1# sh service-policy PM-L4-R-STICKY-FW-B det
Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 21
  service-policy: PM-L4-R-STICKY-FW-B
    class: CM-VIP-BGP-B
     VIP Address:    Protocol:  Port:
     0.0.0.0         tcp        eq    179
      loadbalance:
        L7 loadbalance policy: PM-L7-R-STICKY-FW-B-BGP
        VIP Route Metric     : 77
        VIP Route Advertise  : DISABLED
        VIP ICMP Reply       : DISABLED
        VIP State: INSERVICE
        curr conns       : 0         , hit count        : 4
        dropped conns    : 4
        client pkt count : 4         , client byte count: 176
        server pkt count : 0         , server byte count: 0
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : PM-L7-R-STICKY-FW-B-BGP
          class/match : class-default
            LB action :
               forward
               reverse sticky group: BOTH_IP_STICKY_B_BGP
                  primary serverfarm: SF-FW-B-BGP
                    state: UP
                  backup serverfarm : -
            hit count        : 4
            dropped conns    : 0
    class: CM-VIP-DEFAULT-B
     VIP Address:    Protocol:  Port:
     0.0.0.0         any
      loadbalance:
        L7 loadbalance policy: PM-L7-R-STICKY-FW-B
        VIP Route Metric     : 77
        VIP Route Advertise  : DISABLED
        VIP ICMP Reply       : DISABLED
        VIP State: INSERVICE
        curr conns       : 0         , hit count      : 2
        dropped conns  : 2
        client pkt count : 2         , client byte count: 200
        server pkt count : 0         , server byte count: 0
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : PM-L7-R-STICKY-FW-B
          class/match : class-default
            LB action :
               forward
               reverse sticky group: BOTH_IP_STICKY_B
                  primary serverfarm: SF-FW-B
                    state: UP
                  backup serverfarm : -
            hit count        : 2
            dropped conns    : 0

Labels:
79153-Context config.txt.zip
0 Helpful
7 Replies 7

robert.horrigan
Level 2
Level 2

‎01-21-2011 08:37 PM

What is the default gateway of your rservers?

0 Helpful

lacirasella
Level 1
Level 1
In response to robert.horrigan

‎01-24-2011 12:50 AM

hi?

i'm actually pointing to the fws

i also try try to point to the ACE alias but the result is worst

Maurice

0 Helpful

rvavale
Cisco Employee
Cisco Employee
In response to lacirasella

‎01-27-2011 01:12 AM

Hi,

Can you try by enabling 'mac-sticky' under vlan interface.

This link explains Firewall Loadbalancing along with sample config,
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_Server_Load-Balancing_Configuration_Examples#Examples_of_Firewall_Load-Balancing_Configurations

Try enabling 'mac-sticky' and let me know if that helps.

Best Regards,
Rahul

0 Helpful

lacirasella
Level 1
Level 1
In response to rvavale

‎01-27-2011 02:20 AM

Hi,

that is already done on vlan toward the firewall

i also try to install it on vlan toward the client

the problem is still here

Thanks

0 Helpful

rvavale
Cisco Employee
Cisco Employee
In response to lacirasella

‎02-06-2011 01:58 PM

Hi,

Did you try configuring mac-sticky towards client vlan, did it help. If not then you may want to open TAC case to troubleshoot.

Best Regards,

Rahul

0 Helpful

lacirasella
Level 1
Level 1
In response to rvavale

‎02-07-2011 01:33 AM

same result,

a SR is open on the TAC

A Cisco guys at CiscoLive in London told me that IP route are mandatory now in L2 mode, which mean

that is was not the case in the first release of the ACE (i have also test it in an old release and it was

working without any routes).

I'm waiting for the TAC answer.

Thanks for your help

0 Helpful

lacirasella
Level 1
Level 1
In response to lacirasella

‎02-21-2011 04:59 AM

Hi,

confirmation that ACE in L2 mode need IP routes

it was always the case

Maurice

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card