Management traffic to the ACE

Unanswered Question
Jan 9th, 2008

Do i need to explicitly define management traffic coming to the ace module, i see in a lot of configurations that they allow managerment traffic in a special class to the ace?

also it is necessary to apply an access-list to the ace module to accept traffic for the vip, what if i do not use any access-list on the ace, will the traffic go through?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Eric Rose Wed, 01/09/2008 - 10:56

Yes you need to define allowed traffic to the ace. The ace acts as an implicit deny. It will block everything until you allow it. The first policy/class match that you should define is the management traffic class.

access-list ALL line 8 extended permit ip any any

class-map type management match-any remote_access

2 match protocol xml-https any

4 match protocol icmp any

5 match protocol telnet any

6 match protocol ssh any

7 match protocol http any

8 match protocol https any

policy-map type management first-match remote_mgmt_allow_policy

class remote_access

permit

interface vlan 121

ip address

access-group input ALL

service-policy input remote_mgmt_allow_policy

no shutdown

Actions

This Discussion