I tried to make a VIP to route traffic from one VLAN to another :

class-map match-all DMZ.FIN.DIRECT

3 match virtual-address 212.x.x.0 255.255.255.240 any

policy-map type loadbalance first-match DMZ.FIN.DIRECT

class class-default

forward

policy-map multi-match DMZ.FIN.DIRECT_FORWARD

class DMZ.FIN.DIRECT

loadbalance vip inservice

loadbalance policy DMZ.FIN.DIRECT

My machine sits in vlan 90: ip 172.16.9.200 GW 172.16.9.193 (the ip of the ACE).

So I added an ACL to the VLAN 90 interface :

access-list VIPS line 4 extended permit ip any 212.x.x.0 255.255.255.240

interface vlan 90

ip address 172.16.9.193 255.255.255.192

access-group input VIPS

service-policy input DMZ.FIN.DIRECT_FORWARD

Note that the ACE has an interface in the second VLAN;

interface vlan 80

ip address 212.x.x.1 255.255.255.240

no shutdown

So far, everything is fine. Just out of curiosity, I removed the line

service-policy input DMZ.FIN.DIRECT_FORWARD

from the vlan interface.

and I can still access a machine in 212.63.226.0

So I tried the same thing, but without a directly connected interface on the ace, just a route with a next hop. All the same, it routes everything.

If it routes everything, I don't understand the use of

DMZ.FIN.DIRECT

class class-default

forward

Or is there some kind of secure mode that I need to setup in order to control what's routed and what's not ?

Here the complete config :