Application Control Engine Module Getting Started Guide (Software Version A2(3.0)) - Configuring Bridged Mode [Cisco Services Modules]

Table Of Contents

Configuring Bridged Mode

Information About Configuring Bridged Mode

Prerequisites

Guidelines and Limitations

Configuring Bridged Mode on the ACE

Task Flow for Configuring Bridged Mode

Configuring Server Load Balancing

Configuring the VLANs and a BVI

Configuration Example for Bridged Mode

Where to Go Next

Configuring Bridged Mode

This chapter describes how to configure the Cisco Application Control Engine (ACE) module to bridge traffic on a single IP subnet.

This chapter includes the following topics:

•Information About Configuring Bridged Mode

•Guidelines and Limitations

•Task Flow for Configuring Bridged Mode

•Configuring Bridged Mode on the ACE

•Configuration Example for Bridged Mode

•Where to Go Next

Information About Configuring Bridged Mode

After reading this chapter, you should have a basic understanding of bridged mode, how it works in the ACE, and how to configure it.

Up to this point in this guide, you have been configuring the ACE in routed mode. Routed mode treats the ACE as a next hop in the network, typically with a client-side VLAN and a server-side VLAN in different IP subnets or even in different IP networks. The VLAN interfaces rely on IP addresses to route packets from one subnet or network to another.

In bridged mode, the ACE bridges traffic between two VLANs in the same IP subnet. The VLAN facing the WAN is the client-side VLAN. The VLAN facing the data center is the server-side VLAN. A bridge group virtual interface (BVI) joins the two VLANs into one bridge group.

As traffic passes through the client-side VLAN, the ACE evaluates the traffic with the configured service policy. Traffic that matches a policy is redirected to a server that has a dedicated VLAN interface configured on the ACE. Traffic leaving the server goes to the ACE, where it is directed out of the server side VLAN to the origin server. Traffic is routed by means of static routing. No dynamic routing protocols are required.

Prerequisites

Bridged mode on an ACE has the following prerequisites:

•Contact your network administrator to determine which VLANs and addresses are available for use by the ACE. Then, configure VLANs for the ACE using the Cisco IOS Software (see the "Configuring VLANs for the ACE Using Cisco IOS Software" section).

•Configure a default route on the ACE (see the "Configuring a Default Route" section).

•Configure an access list to allow traffic (see the "Configuring an ACL" section).

Guidelines and Limitations

Bridged mode on the ACE has the following configuration guidelines and limitations:

•The ACE supports 4,094 BVIs per system.

•The ACE supports a maximum of 8,192 interfaces per system that include VLANs, shared VLANs, and BVI interfaces.

•When you configure a bridge group on an interface VLAN, the ACE automatically makes it a bridged interface.

•The ACE supports a maximum of two Layer 2 interface VLANs per bridge group.

•The ACE does not allow shared VLAN configurations on Layer 2 interfaces.

•Because Layer 2 VLANs are not associated with an IP address, they require extended access control lists (ACLs) for controlling IP traffic. You can also optionally configure EtherType ACLs to pass non-IP traffic.

•The ACE does not perform MAC address learning on a bridged interface. Instead, learning is performed by ARP. Bridge lookup is based on the bridge-group identifier and destination MAC address. A bridged interface automatically sends multicast and broadcast bridged traffic to the other interface of the bridge group.

•ARP packets are always passed through an Layer 2 interface after their verification and inspection. Multicast and broadcast packets from the incoming interface are flooded to the other L2 interface in the bridge group.

•The server default gateway is the upstream router.

Configuring Bridged Mode on the ACE

This section describes how to configure bridged mode using the example shown in Figure 13-1.

Figure 13-1 Example of Bridged Mode

The configuration of the example setup is as follows:

•A virtual server VS_WEB2 is created with a virtual IP address 10.15.3.100 to forward the client traffic from VLAN 40 to the servers in VLAN 41.

•There are four real servers grouped into the server farm SF_WEB2.

•VLAN 40 is assigned to the ACE and is used for client-side traffic. VLAN 41 is assigned to the ACE and is used for server-side traffic.

•A BVI with the IP address 10.15.3.5 configures the two VLANs into one bridge group.

This section contains the following topics:

•Prerequisites

•Configuring Server Load Balancing

•Configuring the VLANs and a BVI

Task Flow for Configuring Bridged Mode

Follow these steps to configure bridged mode on the ACE:

Step 1 Configure the real servers and server farm.

Step 2 Configure a TCP probe and associate it with the server farm.

Step 3 Configure the VIP address where clients are to send requests.

Step 4 Create the policy for load-balancing traffic.

Step 5 Create a service policy.

Step 6 Create the client and server VLANs and associate them with a BVI.

Step 7 Apply the access group and service policy to the interface.

Configuring Server Load Balancing

Procedure

Step 1 Add the four real servers (see the "Configuring Real Servers" section), using the following real server names, descriptions, and IP addresses and place each server in service:

•Name: RS_WEB5, Description: content server web-five, IP Address: 10.15.3.11

•Name: RS_WEB6, Description: content server web-six, IP Address: 10.15.3.12

•Name: RS_WEB7, Description: content server web-seven, IP Address: 10.15.3.13

•Name: RS_WEB8, Description: content server web-eight, IP Address: 10.15.3.14

Step 2 Group these real servers into a server farm (see "Creating a Server Farm") and place each server in service. In this example, name the server farm SF_WEB2.

Step 3 Configure a TCP probe to check the health of all the real servers in the server farm and associate the probe with the server farm. See the "Configuration Example for Bridged Mode" section.

Step 4 Create a virtual server traffic policy (see "Creating a Virtual Server Traffic Policy" section, Steps 1 through 12). For this example, do the following:

•Create a Layer 7 policy map for the action when the client request arrives and is sent to the server farm, name the load-balancing policy HTTP_LB, configure a default class map, and associate the server farm SF_WEB2.

•Create a Layer 3 and Layer 4 class map to define the VIP where the clients will send their requests, and name the class map VS_WEB2 with a match virtual address of 10.15.3.100 with a match on any port.

•Create a Layer 3 and Layer 4 multi-match policy map to direct classified incoming requests to the load-balancing policy map. In this example, name the policy HTTP_MULTI_MATCH, associate the VS_WEB2 class map and the HTTP_LB policy map. and then enable the VIP for load-balancing operations by placing it in service.

Configuring the VLANs and a BVI

You can configure bridged mode by creating the client-side a nd the server side VLANs on the ACE and associating them with a BVI.

Procedure
Command

Purpose
Step 1
changeto context
Example:
host1/Admin# changeto VC_WEB
host1/VC_WEB#
Changes to the correct context if necessary. Check the CLI prompt to verify that you are operating in the desired context.
Step 2
config
Example:
host1/VC_WEB# config
host1/VC_WEB(config)# 
Enters configuration mode.
Step 3
interface vlan vlan_id
Example:
host1/VC_WEB(config)# interface vlan 40
host1/VC_WEB(config-if)#
Accesses the interface for the client-side VLAN.
Step 4
description string
Example:
host1/VC_WEB(config-if)# description 
Client_side
Enters a description of the VLAN.
Step 5
bridge-group number
Example:
host1/VC_WEB(config-if)# bridge-group 1
Assigns the VLAN to the BVI.
Step 6
access-group input acl_name
Example:
host1/VC_WEB(config-if)# access-group 
input INBOUND
Applies the ACL to the VLAN.
Step 7
service-policy input policy_name
Example:
host1/VC_WEB(config-if)# service-policy 
input HTTP_MULTI_MATCH
Applies the multi-match policy map to the VLAN.
Step 8
no shutdown
Example:
host1/VC_WEB(config-if)# no shutdown
Places the VLAN in service.
Step 9
exit
Example:
host1/VC_WEB(config-if)# exit
host1/VC_WEB(config)#
Exits interface configuration mode.
Step 10
interface vlan vlan_id
Example:
host1/VC_WEB(config)# interface vlan 41
host1/VC_WEB(config-if)#
Accesses the interface for the server-side VLAN.
Step 11
description string
Example:
host1/VC_WEB(config-if)# description 
Server_side
Enters a description of the VLAN.
Step 12
bridge-group number
Example:
host1/VC_WEB(config-if)# bridge-group 1
Assigns the VLAN to the BVI.
Step 13
no shutdown
Example:
host1/VC_WEB(config-if)# no shutdown
Places the VLAN in service.
Step 14
exit
Example:
host1/VC_WEB(config-if)# exit
host1/VC_WEB(config)#
Exits interface configuration mode.
Step 15
interface bvi number
Example:
host1/VC_WEB(config)# interface bvi 1
host1/VC_WEB(config-if)#
Creates the BVI.
Step 16
description string
Example:
host1/VC_WEB(config-if)# description 
Client and server bridge group 1
Enters a description of the BVI.
Step 17
ip address ip_address netmask
Example:
host1/VC_WEB(config-if)# ip address 
10.15.3.5 255.255.255.0
Assigns an IP address and network mask to the BVI interface.
Step 18
no shutdown
Example:
host1/VC_WEB(config-if)# no shutdown
Places the BVI in service.
Step 19
Ctrl-Z
Example:
host1/Admin(config-if)# Ctrl-Z
host1/Admin#
Returns to Exec mode directly from any configuration mode.
Step 20
show running-config interface
Example:
host1/Admin# show running-config 
interface
Displays the interface configuration.
Step 21
show interface bvi number
Example:
host1/Admin# show interface bvi 1
Displays the status and statistics for the BVI interface.
Step 22
copy running-config startup-config
Example:
host1/Admin# copy running-config startup-config
(Optional) Copies the running configuration to the startup configuration.
Configuration Example for Bridged Mode

The following running configuration example shows a basic bridged mode configuration. The commands that you have configured in this chapter appear in bold text.
access-list INBOUND extended permit ip any
probe tcp TCP_PROBE1
rserver host RS_WEB5
description content server web-five
ip address 10.15.3.11
inservice
rserver host RS_WEB6
description content server web-six
ip address 10.15.3.12
inservice
rserver host RS_WEB7
description content server web-seven
ip address 10.15.3.13
inservice
rserver host RS_WEB8
description content server web-eight
ip address 10.15.3.14
inservice
serverfarm SF_WEB2
    probe TCP_PROBE1
rserver RS_WEB5 80
inservice
rserver RS_WEB6 80
inservice
rserver RS_WEB7 80
inservice
rserver RS_WEB8 80
inservice
policy-map type loadbalance first-match HTTP_LB
class-default
serverfarm SF_WEB2
class-map VS_WEB2
match virtual-address 10.15.3.100 any
policy-map multi-match HTTP_MULTI_MATCH
class VS_WEB2
loadbalance policy HTTP_LB
loadbalance vip inservice
interface bvi 1
description Client and server bridge group 1
ip address 10.15.3.5 255.255.255.0
no shutdown
interface vlan 40
description Client_side
bridge-group 1
access-group input INBOUND
service-policy input HTTP_MULTI_MATCH
no shutdown
interface vlan 41
description Server-side
bridge-group 1
no shutdown
context VC_WEB
allocate-interface vlan 40
allocate-interface vlan 41
member RC_WEB
ip route 0.0.0.0 0.0.0.0 10.15.3.1
Where to Go Next

In this chapter, you have learned how to configure bridged mode on your ACE. For more detailed information about both bridged mode and routed mode, see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide.

In the next chapter, you will learn how to configure your ACE for "one-arm" mode.