This chapter describes how clients and servers communicate through the Cisco 4700 Series Application Control Engine (ACE) appliance using either Layer 2 (L2) or Layer 3 (L3) in a VLAN configuration. When the client-side and server-side VLANs are on the same subnets, you can configure the ACE to bridge traffic on a single subnet mode.
When the client-side and server-side VLANs are on different subnets, you can configure the ACE to route the traffic. For more information, see Chapter 3, "Configuring Routes on the ACE."
In bridge mode, the ACE acts as a "bump in the wire" and is not a routed hop. No dynamic routing protocols are required.
When you configure a bridge group on an interface VLAN, the ACE automatically makes it a bridged interface. The ACE supports a maximum of two Layer 2 interface VLANs per bridge group.
Note The ACE does not allow shared VLAN configurations on Layer 2 interfaces.
Because L2 VLANs are not associated with an IP address, they require extended access control lists (ACLs) for controlling IP traffic. You can also optionally configure EtherType ACLs for the passing of non-IP traffic. For information on ACLs, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.
To enable the bridge-group VLANs, you must configure a bridge-group virtual interface (BVI) that is associated with a corresponding bridge group. You must configure an IP address on the BVI. This address is used as a source IP address for traffic from the ACE, for example, Address Resolution Protocol (ARP) requests or management traffic. . The ACE supports 4,094 BVIs per system.
Note The ACE supports a maximum of 8,192 interfaces per system that include VLANs, shared VLANs, and BVI interfaces.
The ACE does not perform MAC address learning on a bridged interface. Instead learning is performed by ARP. Bridge lookup is based on the bridge-group identifier and destination MAC address. A bridged interface automatically sends multicast and broadcast bridged traffic to the other interface of the bridge group.
ARP packets are always passed through an L2 interface after their verification and inspection. For information on configuring ARP on the ACE, see Chapter 5, "Configuring ARP." Multicast and broadcast packets from the incoming interface are flooded to the other L2 interface in the bridge group.
This chapter contains the following major sections:
•Bridge Mode Configuration Quick Start
•Configuring a Bridge-Group VLAN
•Configuring a Bridge-Group Virtual Interface
•Displaying Bridge Group or BVI Information
Table 4-1 provides a quick overview of the steps required to configure a bridge group for the ACE. Each step includes the CLI command required to complete the task.
In bridge mode, you can configure two interface VLANs into a group and bridge packets between them. All interfaces are in one broadcast domain and packets from one VLAN are switched to the other VLAN. The ACE bridge mode supports only two L2 VLANs per bridge group. In this mode, L2 VLAN interfaces do not have configured IP addresses.
Before you create a bridge group, you must assign a VLAN to the context and access its mode to configure its attributes. Use the interface vlan command in configuration mode. The syntax for the command is as follows:
interface vlan number
The number argument is the VLAN number that you want to assign to the context. For example, enter:
host1/Admin(config)# interface vlan 2
To remove a VLAN, use the no interface vlan command. For example, enter:
host1/Admin(config)# no interface vlan 2
After you configure the VLAN, configure its attributes as described in the following topics:
•Configuring a Bridge Group to the VLAN
•Assigning an ACL to the Bridge-Group VLAN
When you configure a bridge group on the VLAN, the ACE automatically makes it bridged. To assign the VLAN to the bridge group, use the bridge-group command in interface configuration mode. The syntax for the command is as follows:
bridge-group number
The number argument is a number from 1 to 4094. For example, to assign bridge group 15 to the VLAN, enter:
host1/Admin(config-if)# bridge-group 15
To remove the bridge group from the VLAN, use the no bridge-group command. For example, enter:
host1/Admin(config-if)# no bridge-group
A bridge group VLAN supports extended ACLs for IP traffic and EtherType ACLs for non-IP traffic. The following is an example of an extended ACL that permits IP traffic:
host1/Admin(config)# access-list ACL1 line 5 extended permit ip any
any
For non-IP traffic, configure an EtherType ACL. EtherType ACLs support Ethernet V2 frames. You can configure the ACE to pass one or any of the following non-IP EtherTypes: Multiprotocol Label Switching (MPLS), Internet Protocol version 6 (IPv6), and bridge protocol data units (BDPUs).
You can permit or deny BPDUs. By default, all BPDUs are denied. The ACE receives trunk port (Cisco proprietary) BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the payload, so the ACE modifies the payload with the outgoing VLAN if you permit BPDUs.
Note If you configure failover on the ACE, you must permit BPDUs on both interfaces with an EtherType ACL to avoid bridging loops.
The following example shows an EtherType ACL that permits BDPUs:
host1/Admin(config)# access-list NONIP ethertype permit bdpu
For more detailed information on extended or EtherType ACLs, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.
After you configure an ACL for permitting traffic, assign it to the bridge-group VLAN. To apply an ACL to the inbound or outbound direction of a VLAN, use the access-group command in interface configuration mode. The syntax for the command is as follows:
access-group {input | output} acl_name
The options and arguments are:
•input—Specifies the inbound direction of the interface to apply the ACL.
•output—Specifies the outbound direction of the interface to apply the ACL. This option is not allowed for EtherType ACLs.
•acl_name—Identifier of an existing ACL to apply to an interface
For example, to assign ACL1 for inbound traffic to the interface, enter:
host1/Admin(config-if)# access-group input ACL1
To assign ACL1 for outbound traffic to the interface, enter:
host1/Admin(config-if)# access-group output ACL1
To remove an ACL from an interface, use the no access-group command. For example, enter:
host1/Admin(config-if)# no access-group output ACL1
When you create an interface, the interface is in the shutdown state until you enable it. To enable an interface for use, use the no shutdown command. For example, enter:
host1/Admin (config-if)# no shutdown
To disable the VLAN, use the shutdown command. For example, enter:
host1/Admin(config-if)# shutdown
After you enable the bridge-group VLAN, configure a BVI to bring it into operation.
To initiate traffic, such as ARP requests, from the ACE or for management traffic, a bridge group requires an interface with an IP address on the same subnet. This interface is the BVI.
A BVI is associated with a corresponding bridge group to routed interfaces within the router but acts as a routed interface that does not support bridging. The BVI is assigned with the number of the associated bridge group. Only one BVI is supported for each bridge group. The MAC address of the BVI is the same as the addresses of the associated bridge-group interfaces. You must enable the BVI and the associated bridge-group interfaces to forward traffic.
To use a BVI to terminate management traffic, apply a management policy to the Layer 2 interface from which the management traffic is expected. To apply this policy, configure the service policy on the bridge-group interface VLAN, and then configure the management IP address to the BVI.
This section provides the following topics:
•Creating a Virtual Routed Interface for a Bridge Group
•Configuring an Alias IP Address
•Configuring a Peer IP Address
You can create a virtual routed interface for a bridge group by using the interface bvi command in configuration mode. The syntax for the command is as follows:
interface bvi group_number
The group_number argument is the bridge-group number configured on the Layer 2 VLAN interfaces.
For example, to create a BVI for bridge group 15, enter:
host1/Admin(config)# interface bvi 15
host1/Admin(config-if)#
To delete a BVI for bridge group 15, enter:
host1/Admin(config)# no interface bvi 15
You can assign an IP address to a BVI by using the ip address command in interface configuration mode for the BVI. The syntax for the command is as follows:
ip address ip_address mask
The ip_address mask arguments are the address and subnet mask of the interface. Enter the IP address and subnet mask in dotted-decimal notation.
For example, to configure an IP address and mask for a BVI, enter:
host1/Admin(config-if)# ip address 10.0.0.10 255.255.255.0
To delete the IP address from a BVI, enter:
host1/Admin(config-if)# no ip address
When you configure a redundant configuration with active and standby appliances, you can configure a VLAN interface that has an IP address that is shared between the active and standby appliances. To configure a shared address for the BVI, use the alias command in interface configuration mode. The syntax for the command is as follows:
alias ip_address mask
The ip_address mask arguments are the address and subnet mask of the interface. Enter the IP address and subnet mask in dotted-decimal notation.
For example, to configure an IP address and mask for a BVI, enter:
host1/Admin(config-if)# alias 10.0.0.15 255.255.255.0
To delete the alias IP address from a BVI, enter:
host1/Admin(config-if)# no alias 10.0.0.15 255.255.255.0
When you configure redundancy, by default, configuration mode on the standby appliance is disabled and changes on an active appliance are automatically synchronized on the standby appliance. However, interface IP addresses on the active and standby appliances must be unique. To ensure that the addresses on the interfaces are unique, the IP address of an interface on the active appliance is automatically synchronized on the standby appliance as the peer IP address.
To configure an IP address for the interface on the standby appliance, use the peer ip address command in interface configuration mode. The peer IP address on the active appliance is synchronized on the standby appliance as the interface IP address. The syntax for the command is as follows:
peer ip address ip_address mask
The ip_address mask arguments are the address and subnet mask for the peer appliance.
For example, to configure an IP address and mask for the peer appliance, enter:
host1/Admin(config-if)# peer ip address 10.0.0.18 255.255.255.0
To delete the IP address for the peer appliance, enter:
host1/Admin(config-if)# no peer ip address
You can provide a description for the BVI by using the description command in interface configuration mode. The syntax for the command is as follows:
description text
The text argument is a text string with a maximum of 240 alphanumeric characters including spaces.
For example, to provide a description for the BVI, enter:
host1/Admin(config-if)# description BVI for Bridge Group 15
To delete the description, enter:
host1/Admin(config-if)# no description
You can enable a BVI by using the no shutdown command in interface configuration mode. The syntax for the command is as follows:
no shutdown
For example, to enable a BVI, enter:
host1/Admin(config-if)# no shutdown
To disable the BVI, enter:
host1/Admin(config-if)# shutdown
You can display information about a bridge-group VLAN by using the show interface vlan command in Exec mode. For example, enter:
host1/Admin# show interface vlan 15
To display information about a BVI, use the show interface bvi command in Exec mode. For example, enter:
host1/Admin# show interface bvi 15
For information about the fields in the show interface command, see Table 2-2 in Chapter 2, "Configuring VLAN Interfaces."