ACE direct access to servers

Unanswered Question
Feb 10th, 2007

Hi,

how it's possible configure direct access (management for the servers) from client side to the real servers located in server side in routed mode? can anybody send here configuration example?

thx

martin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
Gilles Dufour Sun, 02/11/2007 - 02:34

Martin,

nothing special is required.

You just need to make sure the traffic is allowed in your access-group acl.

Gilles.

sebastianvandijk Tue, 02/13/2007 - 04:37

Had that problem too, just added an in- and outbound access-list on both interfaces and problem solved.

I at the end of my rope (or cable) on what should be something simple: I cannot get direct-server access to work. My ACLs allow all IP traffic; I've tried class-maps and policy-maps to inspect ICMP, applied everything in the right places (I think). Can someone provide a config snippet showing the pertinent parts to allowing pings and other LAN protocols through directly to servers for management purposes and also for server-to-server traffic that is necessary for such things as a Windows web server (rserver) talking to a domain-controller located in a non-ACE VLAN.

Thanks.

Solved my own problem. Without the server-side VLAN going through the ACE (i.e., I removed the VLAN from the svclc vlan-group and configured an IP on the VLAN on the MSFC), then direct-server access worked fine. With this VLAN behind the ACE it did not work when trying to reach one of my rservers that actually connected via a L2-only access switch but I could reach a different rserver that was connected on a second access switch. The ACE modules sit in aggregation switches that then are trunked down to the access switches.

One would think the problem was with the ACE.

I discovered that one of the access switches had an older IOS ver than the other: 12.2(17d)SXB11a instead 12.2(18)SXF7. Now I knew IOS had to be at 12.2(18) just to see the ACE in the agg switches, but I did not think the version was so important for the access switches that are just doing only switching.

I decided to bring up the one access switch to 12.2(18) and then the ACE was then able to reach the one rserver I had trouble reaching.

Again, with the ACE removed from the server-side VLAN, I could reach rservers on both access switches.

Strange problem or is it known that all L2 switches must be at a given rev to support the ACE? I don't see how the ACE which is one switch removed from an access-only switch would or should do anything different to a frame that could affect the switching through downstream switches.

Gilles Dufour Wed, 03/21/2007 - 03:33

it is not required to have a special rev on your l2 switches unless they have an ACE module inside the switch itself.

There was probably a problem somewhere outside ace and the reboot fixed it.

Gilles.

Actions

This Discussion