an access-list & class-map for mgmt access

Unanswered Question
Aug 21st, 2009
User Badges:

We're configuring a brand new ACE Control Module and I understand we need to configure both, an access-list and class-map/policy-map to allow access to the ACE. Can someone please tell me why both of these are required?


-Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Fri, 08/21/2009 - 22:36
User Badges:
  • Cisco Employee,

By default all traffic is denied.

When configuring an access-group OR a service-policy you permit some traffic.


So, this is a OR.


Gilles.


axfalk Mon, 08/24/2009 - 08:51
User Badges:

Thanks for your response. We have been told by a Cisco eng that starting with ver. A2(1.5), all traffic is allowed, so we would need both. In addition, every sample config that I have seen had both, an ACL and class matches.


Thanks again.




Gilles Dufour Mon, 08/24/2009 - 23:14
User Badges:
  • Cisco Employee,

I'm running the future A2(1.6) image


loader: Version 12.2[118]

system: Version A2(1.6) [build 3.0(0)A2(1.5.48.gdufour) gdufour_09:06:40-20

09/08/11_/ws/fredgroup-sjc/gdufour/Module/A2.1.6]

system image file: [LCP] disk0:c6ace-t1k9-mz.gdufour-mts5.bin

installed license: ACE-VIRT-250 ACE-SSL-05K-K9



And if I remove the access-group from the interface :


interface vlan 20

ip address 192.168.20.123 255.255.255.0

alias 192.168.20.124 255.255.255.0

peer ip address 192.168.20.121 255.255.255.0

mac-sticky enable

access-group input PERMIT-ANY

service-policy input ALLOW-ALL

service-policy input SLB-SSL

service-policy input SLB

no shutdown


switch/Admin# conf t

Enter configuration commands, one per line. End with CNTL/Z.

switch/Admin(config)# int vlan 20

switch/Admin(config-if)# no access-group input PERMIT-ANY


I can ping the interface (allowed by the service policy) but not ping a device behind the ACE (blocked because no access-group)


[[email protected] cisco]# ping 192.168.20.123

PING 192.168.20.123 (192.168.20.123) 56(84) bytes of data.

64 bytes from 192.168.20.123: icmp_seq=1 ttl=128 time=0.316 ms

64 bytes from 192.168.20.123: icmp_seq=2 ttl=128 time=0.332 ms


[[email protected] cisco]# ping 192.168.30.26

PING 192.168.30.26 (192.168.30.26) 56(84) bytes of data.


--- 192.168.30.26 ping statistics ---

4 packets transmitted, 0 received, 100% packet loss, time 3002ms



If I add the access-group again :


switch/Admin(config-if)#

switch/Admin(config-if)# access-group input PERMIT-ANY



Then the ping through the ACE works:


[[email protected] cisco]# ping 192.168.30.26

PING 192.168.30.26 (192.168.30.26) 56(84) bytes of data.

64 bytes from 192.168.30.26: icmp_seq=4 ttl=64 time=0.300 ms

64 bytes from 192.168.30.26: icmp_seq=5 ttl=64 time=0.231 ms


Can't be more precise than that.


G.

Actions

This Discussion