ACE Integration with the Cisco Catalyst 6500 Configuration Example

From DocWiki

Revision as of 18:20, 2 December 2008 by Pzimmerm (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Introduction

This example shows how to allocate VLANs to the ACE module so the ACE module can be interconnected to the network.

Design

In simple scenario, the MSFC is sharing VLANs with the ACE modules the basic VLAN structure is as follows:

Integrating ACE with the Cisco Catalyst 6500.jpg

VLAN Names Common names for Datacenter VLANs VLAN ID
Public VLAN ACE Client VLAN VLAN 10
Private VLAN ACE Server VLAN VLAN 20

When allocating VLANs to a vlan-group, be aware a specific VLAN can only be allocated to one vlan-group. This requirement can dictate the use of multiple vlan-groups. In the common scenario where we have both FWSM and ACE modules where the basic VLAN structure is as follows:

Integrating ACE with the Cisco Catalyst 6500-2.jpg

VLAN Names Common names for Datacenter VLANs VLAN ID
Internet Facing VLAN FWSM Outside VLAN 10
DMZ VLAN FWSM Inside VLAN 20
DMZ VLAN ACE Client VLAN VLAN 20
Private VLAN ACE Server VLAN VLAN 30

Configuration

In this example of a simple scenario, VLANs 10 and 20 need to be allocated to the ACE module:

svclc multiple-vlan-interfaces
svclc module 1 vlan-group 7
svclc vlan-group 7  10,20

In this example, intuitively VLANs 10 and 20 need to be allocated to the FWSM and VLANs 20 and 30 allocated to the ACE module. Due to the vlan-group constraint, an additional vlan-group must be allocated for the shared VLAN between the FWSM and ACE modules.

svclc multiple-vlan-interfaces
firewall module 1 vlan-group 3
firewall module 1 vlan-group 5
svclc module 2 vlan-group 5
svclc module 2 vlan-group 7
firewall vlan-group 3  10
firewall vlan-group 5  20
svclc vlan-group 7  30

Related Show Commands

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output.

DC1-Cat6k1#show module
DC1-Cat6k1#show asic slot 3
DC1-Cat6k1#show interfaces TenGigabitEthernet 3/1 status 
DC1-Cat6k1#show interfaces TenGigabitEthernet 3/1 counters 
DC1-Cat6k1#show interfaces TenGigabitEthernet 3/1 trunk 
DC1-Cat6k1#show svclc vlan-group
DC1-Cat6k1#show svclc module

Comments

Notice either firewall or svclc commands can be used to define a vlan-group. However, the firewall command must be used to allocate vlan-groups to a FWSM, and the svclc command must be used to allocate vlan-groups to an ACE module. Once VLANs have been allocated to the ACE module the process of virtualization and resource allocation can begin.

show running-config

DC1-Cat6k1#show run
Building configuration...

Current configuration : 22051 bytes
!
! Last configuration change at 13:52:32 PST Fri Nov 2 2007 by cisco
! NVRAM config last updated at 10:59:07 PST Mon Sep 24 2007 by cisco
!
upgrade fpd auto
version 12.2
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service internal
service counters max age 5
!
hostname DC1-Cat6k1
!
boot system flash sup-bootdisk:
logging monitor warnings
enable secret 5 $1$GKmU$.1PbnHWyoWZvIqtuxlJBh/
enable password ciscotme
!
username cisco privilege 15 password 0 ciscotme
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone PST -8
svclc autostate
svclc multiple-vlan-interfaces
svclc module 3 vlan-group 1
svclc module 4 vlan-group 1
svclc vlan-group 1  2-100,110,211-218,321,411-418
firewall module 4 vlan-group 1
ip subnet-zero

Related Information

Technical Support & Documentation - Cisco Systems

Rating: 5.0/5 (3 votes cast)

Personal tools