ACE Integration with the Cisco Catalyst 6500 Configuration Example
From DocWiki
(→Related Information) |
m (1 revision) |
Revision as of 18:37, 4 December 2008
Contents |
Introduction
This example shows how to allocate VLANs to the ACE module so the ACE module can be interconnected to the network.
Design
In simple scenario, the MSFC is sharing VLANs with the ACE modules the basic VLAN structure is as follows:
| VLAN Names | Common names for Datacenter VLANs | VLAN ID |
|---|---|---|
| Public VLAN | ACE Client VLAN | VLAN 10 |
| Private VLAN | ACE Server VLAN | VLAN 20 |
When allocating VLANs to a vlan-group, be aware a specific VLAN can only be allocated to one vlan-group. This requirement can dictate the use of multiple vlan-groups. In the common scenario where we have both FWSM and ACE modules where the basic VLAN structure is as follows:
| VLAN Names | Common names for Datacenter VLANs | VLAN ID |
|---|---|---|
| Internet Facing VLAN | FWSM Outside | VLAN 10 |
| DMZ VLAN | FWSM Inside | VLAN 20 |
| DMZ VLAN | ACE Client VLAN | VLAN 20 |
| Private VLAN | ACE Server VLAN | VLAN 30 |
Configuration
In this example of a simple scenario, VLANs 10 and 20 need to be allocated to the ACE module:
svclc multiple-vlan-interfaces svclc module 1 vlan-group 7 svclc vlan-group 7 10,20
In this example, intuitively VLANs 10 and 20 need to be allocated to the FWSM and VLANs 20 and 30 allocated to the ACE module. Due to the vlan-group constraint, an additional vlan-group must be allocated for the shared VLAN between the FWSM and ACE modules.
svclc multiple-vlan-interfaces firewall module 1 vlan-group 3 firewall module 1 vlan-group 5 svclc module 2 vlan-group 5 svclc module 2 vlan-group 7 firewall vlan-group 3 10 firewall vlan-group 5 20 svclc vlan-group 7 30
Related Show Commands
This section provides information you can use to confirm your configuration is working properly.
Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output.
DC1-Cat6k1#show module DC1-Cat6k1#show asic slot 3 DC1-Cat6k1#show interfaces TenGigabitEthernet 3/1 status DC1-Cat6k1#show interfaces TenGigabitEthernet 3/1 counters DC1-Cat6k1#show interfaces TenGigabitEthernet 3/1 trunk DC1-Cat6k1#show svclc vlan-group DC1-Cat6k1#show svclc module
Comments
Notice either firewall or svclc commands can be used to define a vlan-group. However, the firewall command must be used to allocate vlan-groups to a FWSM, and the svclc command must be used to allocate vlan-groups to an ACE module. Once VLANs have been allocated to the ACE module the process of virtualization and resource allocation can begin.
show running-config
DC1-Cat6k1#show run Building configuration... Current configuration : 22051 bytes ! ! Last configuration change at 13:52:32 PST Fri Nov 2 2007 by cisco ! NVRAM config last updated at 10:59:07 PST Mon Sep 24 2007 by cisco ! upgrade fpd auto version 12.2 service timestamps debug datetime msec localtime service timestamps log datetime msec localtime no service password-encryption service internal service counters max age 5 ! hostname DC1-Cat6k1 ! boot system flash sup-bootdisk: logging monitor warnings enable secret 5 $1$GKmU$.1PbnHWyoWZvIqtuxlJBh/ enable password ciscotme ! username cisco privilege 15 password 0 ciscotme aaa new-model aaa authentication login userauthen local aaa authorization network groupauthor local ! aaa session-id common clock timezone PST -8 svclc autostate svclc multiple-vlan-interfaces svclc module 3 vlan-group 1 svclc module 4 vlan-group 1 svclc vlan-group 1 2-100,110,211-218,321,411-418 firewall module 4 vlan-group 1 ip subnet-zero
