Getting Started Guide, Cisco ACE Application Control Engine Module
Configuring Bridged Mode
Downloads: This chapterpdf (PDF - 174.0KB) The complete bookPDF (PDF - 3.17MB) | Feedback

Configuring Bridged Mode

Table Of Contents

Configuring Bridged Mode

Information About Configuring Bridged Mode

Prerequisites

Guidelines and Limitations

Configuring Bridged Mode on the ACE

Task Flow for Configuring Bridged Mode

Configuring Server Load Balancing

Configuring the VLANs and a BVI

Configuration Example for Bridged Mode

Where to Go Next


Configuring Bridged Mode


This chapter describes how to configure the Cisco Application Control Engine (ACE) module to bridge traffic on a single IP subnet.

This chapter includes the following topics:

Information About Configuring Bridged Mode

Guidelines and Limitations

Task Flow for Configuring Bridged Mode

Configuring Bridged Mode on the ACE

Configuration Example for Bridged Mode

Where to Go Next

Information About Configuring Bridged Mode

After reading this chapter, you should have a basic understanding of bridged mode, how it works in the ACE, and how to configure it.

Up to this point in this guide, you have been configuring the ACE in routed mode. Routed mode treats the ACE as a next hop in the network, typically with a client-side VLAN and a server-side VLAN in different IP subnets or even in different IP networks. The VLAN interfaces rely on IP addresses to route packets from one subnet or network to another.

In bridged mode, the ACE bridges traffic between two VLANs in the same IP subnet. The VLAN facing the WAN is the client-side VLAN. The VLAN facing the data center is the server-side VLAN. A bridge group virtual interface (BVI) joins the two VLANs into one bridge group.

As traffic passes through the client-side VLAN, the ACE evaluates the traffic with the configured service policy. Traffic that matches a policy is redirected to a server that has a dedicated VLAN interface configured on the ACE. Traffic leaving the server goes to the ACE, where it is directed out of the server side VLAN to the origin server. Traffic is routed by means of static routing. No dynamic routing protocols are required.

Prerequisites

Bridged mode on an ACE has the following prerequisites:

Contact your network administrator to determine which VLANs and addresses are available for use by the ACE. Then, configure VLANs for the ACE using the Cisco IOS Software (see the "Configuring VLANs for the ACE Using Cisco IOS Software" section).

Configure a default route on the ACE to identify an IP address for the ACE to send all IP packets for which it does not have a route (see the "Configuring a Default Route" section).

Configure an access list to allow traffic (see the "Configuring an ACL" section).

Guidelines and Limitations

Bridged mode on the ACE has the following configuration guidelines and limitations:

The ACE supports 4,094 BVIs per system.

The ACE supports a maximum of 8,192 interfaces per system that include VLANs, shared VLANs, and BVI interfaces.

When you configure a bridge group on an interface VLAN, the ACE automatically makes it a bridged interface.

The ACE supports a maximum of two Layer 2 interface VLANs per bridge group.

The ACE does not allow shared VLAN configurations on Layer 2 interfaces.

Because Layer 2 VLANs are not associated with an IP address, they require extended access control lists (ACLs) for controlling IP traffic. You can also optionally configure EtherType ACLs to pass non-IP traffic.

The ACE does not perform MAC address learning on a bridged interface. Instead, learning is performed by ARP. Bridge lookup is based on the bridge-group identifier and destination MAC address. A bridged interface automatically sends multicast and broadcast bridged traffic to the other interface of the bridge group.

ARP packets are always passed through an Layer 2 interface after their verification and inspection. Multicast and broadcast packets from the incoming interface are flooded to the other L2 interface in the bridge group.

The server default gateway is the upstream router.

By default, the ACE performs a route lookup to select the next hop to reach the client. We recommend using the mac-sticky feature, rather than the static default route, to send return traffic back in response to the client connection.

Configuring Bridged Mode on the ACE

This section describes how to configure bridged mode using the example shown in Figure 13-1.

Figure 13-1 Example of Bridged Mode

The configuration of the example setup is as follows:

A virtual server VS_WEB2 is created with a virtual IP address 10.15.3.100 to forward the client traffic from VLAN 40 to the servers in VLAN 41.

There are four real servers grouped into the server farm SF_WEB2.

VLAN 40 is assigned to the ACE and is used for client-side traffic. VLAN 41 is assigned to the ACE and is used for server-side traffic.

A BVI with the IP address 10.15.3.5 configures the two VLANs into one bridge group.

This section contains the following topics:

Prerequisites

Configuring Server Load Balancing

Configuring the VLANs and a BVI

Task Flow for Configuring Bridged Mode

Follow these steps to configure bridged mode on the ACE:


Step 1 Configure the real servers and server farm.

Step 2 Configure a TCP probe and associate it with the server farm.

Step 3 Configure the VIP address where clients are to send requests.

Step 4 Create the policy for load-balancing traffic.

Step 5 Create a service policy.

Step 6 Create the client and server VLANs and associate them with a BVI.

Step 7 Configure the mac-sticky feature on the client VLAN interface.

Step 8 Apply the access group and service policy to the interface.


Configuring Server Load Balancing

Procedure


Step 1 Add the four real servers (see the "Configuring Real Servers" section in Chapter 6, Configuring Server Load Balancing), using the following real server names, descriptions, and IP addresses and place each server in service:

Name: RS_WEB5, Description: content server web-five, IP Address: 10.15.3.11

Name: RS_WEB6, Description: content server web-six, IP Address: 10.15.3.12

Name: RS_WEB7, Description: content server web-seven, IP Address: 10.15.3.13

Name: RS_WEB8, Description: content server web-eight, IP Address: 10.15.3.14

Step 2 Group these real servers into a server farm (see the "Creating a Server Farm" section in Chapter 6, Configuring Server Load Balancing) and place each server in service. In this example, name the server farm SF_WEB2.

Step 3 Configure a TCP probe to check the health of all the real servers in the server farm and associate the probe with the server farm. See the "Configuration Example for Bridged Mode" section.

Step 4 Create a virtual server traffic policy (see "Creating a Virtual Server Traffic Policy" section, in Chapter 6, Configuring Server Load Balancing, Steps 1 through 12). For this example, do the following:

Create a Layer 7 policy map for the action when the client request arrives and is sent to the server farm, name the load-balancing policy HTTP_LB, configure a default class map, and associate the server farm SF_WEB2.

Create a Layer 3 and Layer 4 class map to define the VIP where the clients will send their requests, and name the class map VS_WEB2 with a match virtual address of 10.15.3.100 with a match on any port.

Create a Layer 3 and Layer 4 multi-match policy map to direct classified incoming requests to the load-balancing policy map. In this example, name the policy HTTP_MULTI_MATCH, associate the VS_WEB2 class map and the HTTP_LB policy map. and then enable the VIP for load-balancing operations by placing it in service.


Configuring the VLANs and a BVI

You can configure bridged mode by creating the client-side a nd the server side VLANs on the ACE and associating them with a BVI.

Procedure

 
Command
Purpose

Step 1 

changeto context
 
        

Example:

host1/Admin# changeto VC_WEB
host1/VC_WEB#

Changes to the correct context if necessary. Check the CLI prompt to verify that you are operating in the desired context.

Step 2 

config
 
        

Example:

host1/VC_WEB# config
host1/VC_WEB(config)# 

Enters configuration mode.

Step 3 

interface vlan vlan_id

Example:

host1/VC_WEB(config)# interface vlan 40
host1/VC_WEB(config-if)#

Accesses the interface for the client-side VLAN.

Step 4 

description string

Example:

host1/VC_WEB(config-if)# description 
Client_side
 
        

Enters a description of the VLAN.

Step 5 

bridge-group number

Example:

host1/VC_WEB(config-if)# bridge-group 1
 
        

Assigns the VLAN to the BVI.

Step 6 

mac-sticky enable
 
        
Example:
host1/VC_WEB(config-if)# mac-sticky 
enable

Enables the mac-sticky feature for a VLAN interface.

Step 7 

access-group input acl_name
 
        

Example:

host1/VC_WEB(config-if)# access-group 
input INBOUND

Applies the ACL to the VLAN.

Step 8 

service-policy input policy_name

Example:

host1/VC_WEB(config-if)# service-policy 
input HTTP_MULTI_MATCH
 
        

Applies the multi-match policy map to the VLAN.

Step 9 

no shutdown

Example:

host1/VC_WEB(config-if)# no shutdown

Places the VLAN in service.

Step 10 

exit

Example:

host1/VC_WEB(config-if)# exit
host1/VC_WEB(config)#

Exits interface configuration mode.

Step 11 

interface vlan vlan_id

Example:

host1/VC_WEB(config)# interface vlan 41
host1/VC_WEB(config-if)#

Accesses the interface for the server-side VLAN.

Step 12 

description string

Example:

host1/VC_WEB(config-if)# description 
Server_side

Enters a description of the VLAN.

Step 13 

bridge-group number

Example:

host1/VC_WEB(config-if)# bridge-group 1
 
        

Assigns the VLAN to the BVI.

Step 14 

no shutdown

Example:

host1/VC_WEB(config-if)# no shutdown

Places the VLAN in service.

Step 15 

exit

Example:

host1/VC_WEB(config-if)# exit
host1/VC_WEB(config)#

Exits interface configuration mode.

Step 16 

interface bvi number

Example:

host1/VC_WEB(config)# interface bvi 1
host1/VC_WEB(config-if)#

Creates the BVI.

Step 17 

description string

Example:

host1/VC_WEB(config-if)# description 
Client and server bridge group 1

Enters a description of the BVI.

Step 18 

ip address ip_address netmask
 
        
Example:
host1/VC_WEB(config-if)# ip address 
10.15.3.5 255.255.255.0

Assigns an IP address and network mask to the BVI interface.

Step 19 

no shutdown

Example:

host1/VC_WEB(config-if)# no shutdown

Places the BVI in service.

Step 20 

Ctrl-Z
 
        
Example:
host1/Admin(config-if)# Ctrl-Z
host1/Admin#

Returns to Exec mode directly from any configuration mode.

Step 21 

show running-config interface
 
        
Example:
host1/Admin# show running-config 
interface

Displays the interface configuration.

Step 22 

show interface bvi number
 
        
Example:
host1/Admin# show interface bvi 1

Displays the status and statistics for the BVI interface.

Step 23 

copy running-config startup-config

Example:

host1/Admin# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuration Example for Bridged Mode

The following running configuration example shows a basic bridged mode configuration. The commands that you have configured in this chapter appear in bold text.

access-list INBOUND extended permit ip any
 
   
probe tcp TCP_PROBE1
 
   
rserver host RS_WEB5
description content server web-five
ip address 10.15.3.11
inservice
rserver host RS_WEB6
description content server web-six
ip address 10.15.3.12
inservice
rserver host RS_WEB7
description content server web-seven
ip address 10.15.3.13
inservice
rserver host RS_WEB8
description content server web-eight
ip address 10.15.3.14
inservice
serverfarm SF_WEB2
    probe TCP_PROBE1
rserver RS_WEB5 80
inservice
rserver RS_WEB6 80
inservice
rserver RS_WEB7 80
inservice
rserver RS_WEB8 80
inservice
 
   
policy-map type loadbalance first-match HTTP_LB
class class-default
serverfarm SF_WEB2
 
   
class-map VS_WEB2
match virtual-address 10.15.3.100 any
 
   
policy-map multi-match HTTP_MULTI_MATCH
class VS_WEB2
loadbalance policy HTTP_LB
loadbalance vip inservice 
 
   
interface bvi 1
description Client and server bridge group 1
ip address 10.15.3.5 255.255.255.0
no shutdown
 
   
interface vlan 40
description Client_side
bridge-group 1
mac-sticky enable
access-group input INBOUND
service-policy input HTTP_MULTI_MATCH
no shutdown
 
   
interface vlan 41
description Server-side
bridge-group 1
no shutdown
 
   
context VC_WEB
allocate-interface vlan 40
allocate-interface vlan 41
member RC_WEB
 
   
ip route 0.0.0.0 0.0.0.0 10.15.3.1
 
   

Where to Go Next

In this chapter, you have learned how to configure bridged mode on your ACE. For more detailed information about both bridged mode and routed mode, see the Routing and Bridging Guide, Cisco ACE Application Control Engine.

In the next chapter, you will learn how to configure your ACE for "one-arm" mode.