Getting Started Guide vA5(1.0), Cisco ACE 4700 Series Application Control Engine Appliance
Configuring Bridged Mode
Downloads: This chapterpdf (PDF - 178.0KB) The complete bookPDF (PDF - 2.98MB) | Feedback

Configuring Bridged Mode

Table Of Contents

Configuring Bridged Mode

Information About Configuring Bridged Mode

Prerequisites

Guidelines and Limitations

Configuring Bridged Mode on the ACE

Configuring Server Load Balancing

Configuring Bridged Mode Using the Device Manager GUI

Configuring Bridged Mode Using the CLI

Configuration Example for Bridged Mode

Where to Go Next


Configuring Bridged Mode


This chapter describes how to configure the ACE to bridge traffic on a single IP subnet.

This chapter includes the following topics:

Information About Configuring Bridged Mode

Prerequisites

Guidelines and Limitations

Configuring Bridged Mode on the ACE

Configuration Example for Bridged Mode

Where to Go Next

Information About Configuring Bridged Mode

After reading this chapter, you should have a basic understanding of bridged mode, how it works in the ACE, and how to configure it.

Up to this point in this guide, you have been configuring the ACE in routed mode. Routed mode treats the ACE as a next hop in the network, typically with a client-side VLAN and a server-side VLAN in different IP subnets or even in different IP networks. The VLAN interfaces rely on IP addresses to route packets from one subnet or network to another.

In bridged mode, the ACE bridges traffic between two VLANs in the same IP subnet. The VLAN facing the WAN is the client-side VLAN. The VLAN facing the data center is the server-side VLAN. A bridge group virtual interface (BVI) joins the two VLANs into one bridge group.

As traffic passes through the client-side VLAN, the ACE evaluates the traffic with the configured service policy. Traffic that matches a policy is redirected to a server that has a dedicated VLAN interface configured on the ACE. Traffic leaving the server goes to the ACE, where it is directed out of the server side VLAN to the origin server. Traffic is routed by means of static routing. No dynamic routing protocols are required.

For more detailed information about both bridged mode and routed mode, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

Prerequisites

Bridged mode on an ACE has the following prerequisites:

Contact your network administrator to determine which VLANs and addresses are available for use by the ACE.

Configure a default route on the ACE to identify an IP address for the ACE to send all IP packets for which it does not have a route (see the "Enabling Management Connectivity Using the Setup Script" section in Chapter , "Setting Up an ACE Appliance").

Configure an access list to allow traffic (see the "Configuring an ACL" section in Chapter , "Configuring Access Control Lists").

Guidelines and Limitations

Bridged mode on the ACE has the following configuration guidelines and limitations:

The ACE supports 4,094 BVIs per system.

The ACE supports a maximum of 8,192 interfaces per system that include VLANs, shared VLANs, and BVI interfaces.

When you configure a bridge group on an interface VLAN, the ACE automatically makes it a bridged interface.

The ACE supports a maximum of two Layer 2 interface VLANs per bridge group.

The ACE does not allow shared VLAN configurations on Layer 2 interfaces.

Because Layer 2 VLANs are not associated with an IP address, they require extended access control lists (ACLs) for controlling IP traffic. You can also optionally configure EtherType ACLs to pass non-IP traffic.

The ACE does not perform MAC address learning on a bridged interface. Instead, learning is performed by ARP. Bridge lookup is based on the bridge-group identifier and destination MAC address. A bridged interface automatically sends multicast and broadcast bridged traffic to the other interface of the bridge group.

ARP packets are always passed through an Layer 2 interface after their verification and inspection. Multicast and broadcast packets from the incoming interface are flooded to the other L2 interface in the bridge group.

The server default gateway is the upstream router.

By default, the ACE performs a route lookup to select the next hop to reach the client. We recommend using the mac-sticky feature, rather than the static default route, to send return traffic back in response to the client connection.

This chapter describes how to configure bridged mode using the example shown in Figure 12-1.

Figure 12-1 Example of Bridged Mode

The configuration of the example setup is as follows:

A virtual server VS_WEB2 is created with a virtual IP address 10.15.3.100 to forward the client traffic from VLAN 40 to the servers in VLAN 41.

There are four real servers grouped into the server farm SF_WEB2.

VLAN 40 is assigned to the ACE and is used for client-side traffic. VLAN 41 is assigned to the ACE and is used for server-side traffic.

A BVI with the IP address 10.15.3.5 configures the two VLANs into one bridge group.

Configuring Bridged Mode on the ACE

To configure bridged mode, you can use either the ACE Device Manager user interface (GUI) or the CLI.

Configuring Server Load Balancing

Configuring Bridged Mode Using the Device Manager GUI

Configuring Bridged Mode Using the CLI

Configuring Server Load Balancing

Procedure


Step 1 Add the four real servers (see the "Configuring Real Servers" section in Chapter , "Configuring Server Load Balancing"), using the following real server names, descriptions, and IP addresses and place each server in service:

Name: RS_WEB5, Description: content server web-five, IP Address: 10.15.3.11

Name: RS_WEB6, Description: content server web-six, IP Address: 10.15.3.12

Name: RS_WEB7, Description: content server web-seven, IP Address: 10.15.3.13

Name: RS_WEB8, Description: content server web-eight, IP Address: 10.15.3.14

Step 2 Group these real servers into a server farm (see the "Creating a Server Farm" section in Chapter , "Configuring Server Load Balancing") and place each server in service. In this example, name the server farm SF_WEB2.

Step 3 Configure a TCP probe to check the health of all the real servers in the server farm and associate the probe with the server farm. See the "Configuration Example for Bridged Mode" section.

Step 4 Create a virtual server traffic policy (see "Creating a Virtual Server Traffic Policy" section in Chapter , "Configuring Server Load Balancing"). For this example, do the following:

Create a Layer 7 policy map for the action when the client request arrives and is sent to the server farm, name the load-balancing policy HTTP_LB, configure a default class map, and associate the server farm SF_WEB2.

Create a Layer 3 and Layer 4 class map to define the VIP where the clients will send their requests, and name the class map VS_WEB2 with a match virtual address of 10.15.3.100 with a match on any port.

Create a Layer 3 and Layer 4 multi-match policy map to direct classified incoming requests to the load-balancing policy map. In this example, name the policy HTTP_MULTI_MATCH, associate the VS_WEB2 class map and the HTTP_LB policy map. and then enable the VIP for load-balancing operations by placing it in service.


Configuring Bridged Mode Using the Device Manager GUI

Configure bridged mode using the Device Manager user interface by following these steps:


Step 1 Choose VC_web in the virtual contexts drop-down list.

Step 2 Perform the following actions to configure interface attributes for the client-side and server-side VLANs.

a. Select Config > Virtual Contexts > Network > VLAN Interfaces. The VLAN Interface table appears.

b. Click Add (+) to add a new VLAN interface. Click More Settings to access the additional VLAN interface attributes. By default, ACE appliance Device Manager hides the default VLAN interface attributes and the VLAN interface attributes which are not commonly used.

c. Enter the following interface attributes for the client-side VLAN. Leave the remaining attributes blank or with their default values.

VLAN: 40

Description: Client_side

Interface Type: Bridged

BVI: 1

Admin Status: Up

Input Policies: HTTP_MULTI_MATCH

Input Access Group: INBOUND

d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Then, choose VLAN Interfaces to return to the VLAN Interfaces pane

e. Enter the following interface attributes for the server-side VLAN. Leave the remaining attributes blank or with their default values.

VLAN: 41

Description: Server_side

Interface Type: Bridged

BVI: 1

Admin Status: Up

Input Policies: HTTP_MULTI_MATCH

Input Access Group: INBOUND

f. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Then, choose VLAN Interfaces to return to the VLAN Interfaces pane.

g. (Optional) To display statistics and status information for a VLAN interface, choose the VLAN interface from the VLAN Interface table, then click Details. The show interface vlan CLI command output appears.

Step 3 Perform the following actions to create the BVI.

a. Select Config > Virtual Contexts > Network > BVI Interfaces. The BVI Interface tables appears.

b. Click Add (+) to add a new BVI interface.

c. Enter the following interface attributes for the BVI. Leave the remaining attributes blank or with their default values.

BVI: 1

Description: Client and server bridge group 1

IP Address: 10.15.3.5

Netmask: 255.255.255.0

Admin Status: Up

First VLAN: 40

First VLAN Description: Client_side

Second VLAN: 41

Second VLAN Description: Server_side

d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Then, choose BVI Interfaces to return to the VLAN Interfaces pane.

e. (Optional) To display statistics and status information for a BVI interface, choose the BVI interface from the BVI Interface table, then click Details. The show interface bvi, show ipv6 interface bvi, and show ipv6 neighbors CLI commands appear.


Configuring Bridged Mode Using the CLI

You can configure bridged mode by creating the client-side and the server side VLANs on the ACE and associating them with a BVI.

Configure the VLANs and a BVI using the CLI by following these steps:


Step 1 Verify that you are operating in the desired context by checking the CLI prompt. If necessary, change to the correct context.

host1/Admin# changeto VC_web
host1/VC_web#
 
   

Step 2 Enter configuration mode.

host1/VC_web# config
host1/VC_web(config)#
 
   

Step 3 Accesses the interface for the client-side VLAN.

host1/VC_web(config)# interface vlan 40
host1/VC_web(config-if)#
 
   

Step 4 Enter a description of the VLAN.

host1/VC_web(config-if)# description Client_side
 
   

Step 5 Assign the VLAN to the BVI.

host1/VC_web(config-if)# bridge-group 1
 
   

Step 6 Apply the ACL to the VLAN.

host1/VC_web(config-if)# access-group input INBOUND
 
   

Step 7 Apply the multi-match policy map to the VLAN.

host1/VC_web(config-if)# service-policy input HTTP_MULTI_MATCH
 
   

Step 8 Place the VLAN in service.

host1/VC_web(config-if)# no shutdown
 
   

Step 9 Exit interface configuration mode.

host1/VC_web(config-if)# exit
host1/VC_web(config)#
 
   

Step 10 Access the interface for the server-side VLAN.

host1/VC_web(config)# interface vlan 41
host1/VC_web(config-if)#
 
   

Step 11 Enter a description of the VLAN.

host1/VC_web(config-if)# description Server_side
 
   

Step 12 Assign the VLAN to the BVI.

host1/VC_web(config-if)# bridge-group 1
 
   

Step 13 Place the VLAN in service.

host1/VC_web(config-if)# no shutdown
 
   

Step 14 Exit interface configuration mode.

host1/VC_web(config-if)# exit
host1/VC_web(config)#
 
   

Step 15 Create the BVI.

host1/VC_web(config)# interface bvi 1
host1/VC_web(config-if)#
 
   

Step 16 Enter a description of the BVI.

host1/VC_web(config-if)# description Client and server bridge group 1
 
   

Step 17 Assign an IP address and network mask to the BVI interface.

host1/VC_web(config-if)# ip address 10.15.3.5 255.255.255.0
 
   

Step 18 Place the BVI in service.

host1/VC_web(config-if)# no shutdown
 
   

Step 19 Return to Exec mode directly from any configuration mode.

host1/Admin(config-if)# Ctrl-Z
host1/Admin#
 
   

Step 20 Display the interface configuration.

host1/Admin# show running-config interface
 
   

Step 21 Display the status and statistics for the BVI interface.

host1/Admin# show interface bvi 1
 
   

Step 22 (Optional) Copy the running configuration to the startup configuration.

host1/Admin# copy running-config startup-config

Configuration Example for Bridged Mode

The following running configuration example shows a basic bridged mode configuration. The commands that you have configured in this chapter appear in bold text.

access-list INBOUND extended permit ip any
 
   
probe tcp TCP_PROBE1
 
   
rserver host RS_WEB5
description content server web-five
ip address 10.15.3.11
inservice
rserver host RS_WEB6
description content server web-six
ip address 10.15.3.12
inservice
rserver host RS_WEB7
description content server web-seven
ip address 10.15.3.13
inservice
rserver host RS_WEB8
description content server web-eight
ip address 10.15.3.14
inservice
serverfarm SF_WEB2
    probe TCP_PROBE1
rserver RS_WEB5 80
inservice
rserver RS_WEB6 80
inservice
rserver RS_WEB7 80
inservice
rserver RS_WEB8 80
inservice
 
   
policy-map type loadbalance first-match HTTP_LB
class class-default
serverfarm SF_WEB2
 
   
class-map VS_WEB2
match virtual-address 10.15.3.100 any
 
   
policy-map multi-match HTTP_MULTI_MATCH
class VS_WEB2
loadbalance policy HTTP_LB
loadbalance vip inservice
 
   
interface bvi 1
description Client and server bridge group 1
ip address 10.15.3.5 255.255.255.0
no shutdown
 
   
interface vlan 40
description Client_side
bridge-group 1
access-group input INBOUND
service-policy input HTTP_MULTI_MATCH
no shutdown
 
   
interface vlan 41
description Server-side
bridge-group 1
no shutdown
 
   
context VC_web
allocate-interface vlan 40
allocate-interface vlan 41
member RC_WEB
 
   
ip route 0.0.0.0 0.0.0.0 10.15.3.1
 
   

Where to Go Next

In this chapter, you have learned how to configure bridged mode on your ACE. In the next chapter, you will learn how to configure your ACE for "one-arm" mode.