Ace and Routing

Unanswered Question
Jun 27th, 2007
User Badges:

I tried to make a VIP to route traffic from one VLAN to another :

class-map match-all DMZ.FIN.DIRECT

3 match virtual-address 212.x.x.0 any

policy-map type loadbalance first-match DMZ.FIN.DIRECT

class class-default


policy-map multi-match DMZ.FIN.DIRECT_FORWARD


loadbalance vip inservice

loadbalance policy DMZ.FIN.DIRECT

My machine sits in vlan 90: ip GW (the ip of the ACE).

So I added an ACL to the VLAN 90 interface :

access-list VIPS line 4 extended permit ip any 212.x.x.0

interface vlan 90

ip address

access-group input VIPS

service-policy input DMZ.FIN.DIRECT_FORWARD

Note that the ACE has an interface in the second VLAN;

interface vlan 80

ip address 212.x.x.1

no shutdown

So far, everything is fine. Just out of curiosity, I removed the line

service-policy input DMZ.FIN.DIRECT_FORWARD

from the vlan interface.

and I can still access a machine in

So I tried the same thing, but without a directly connected interface on the ace, just a route with a next hop. All the same, it routes everything.

If it routes everything, I don't understand the use of


class class-default


Or is there some kind of secure mode that I need to setup in order to control what's routed and what's not ?

Here the complete config :

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Wed, 06/27/2007 - 06:12
User Badges:
  • Cisco Employee,

the ACE module will route traffic that does not hit a vserver and that is permitted by acl.

There is no need of policy for that unlike the CSM.



This Discussion