Ace and Routing

Unanswered Question
Jun 27th, 2007
User Badges:

I tried to make a VIP to route traffic from one VLAN to another :


class-map match-all DMZ.FIN.DIRECT

3 match virtual-address 212.x.x.0 255.255.255.240 any


policy-map type loadbalance first-match DMZ.FIN.DIRECT

class class-default

forward


policy-map multi-match DMZ.FIN.DIRECT_FORWARD

class DMZ.FIN.DIRECT

loadbalance vip inservice

loadbalance policy DMZ.FIN.DIRECT


My machine sits in vlan 90: ip 172.16.9.200 GW 172.16.9.193 (the ip of the ACE).


So I added an ACL to the VLAN 90 interface :


access-list VIPS line 4 extended permit ip any 212.x.x.0 255.255.255.240



interface vlan 90

ip address 172.16.9.193 255.255.255.192

access-group input VIPS

service-policy input DMZ.FIN.DIRECT_FORWARD


Note that the ACE has an interface in the second VLAN;

interface vlan 80

ip address 212.x.x.1 255.255.255.240

no shutdown



So far, everything is fine. Just out of curiosity, I removed the line

service-policy input DMZ.FIN.DIRECT_FORWARD

from the vlan interface.

and I can still access a machine in 212.63.226.0



So I tried the same thing, but without a directly connected interface on the ace, just a route with a next hop. All the same, it routes everything.


If it routes everything, I don't understand the use of

DMZ.FIN.DIRECT

class class-default

forward


Or is there some kind of secure mode that I need to setup in order to control what's routed and what's not ?


Here the complete config :





Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Wed, 06/27/2007 - 06:12
User Badges:
  • Cisco Employee,

the ACE module will route traffic that does not hit a vserver and that is permitted by acl.

There is no need of policy for that unlike the CSM.


Gilles.

Actions

This Discussion