08-21-2009 05:48 PM
We're configuring a brand new ACE Control Module and I understand we need to configure both, an access-list and class-map/policy-map to allow access to the ACE. Can someone please tell me why both of these are required?
-Thanks
08-21-2009 10:36 PM
By default all traffic is denied.
When configuring an access-group OR a service-policy you permit some traffic.
So, this is a OR.
Gilles.
08-24-2009 08:51 AM
Thanks for your response. We have been told by a Cisco eng that starting with ver. A2(1.5), all traffic is allowed, so we would need both. In addition, every sample config that I have seen had both, an ACL and class matches.
Thanks again.
08-24-2009 11:14 PM
I'm running the future A2(1.6) image
loader: Version 12.2[118]
system: Version A2(1.6) [build 3.0(0)A2(1.5.48.gdufour) gdufour_09:06:40-20
09/08/11_/ws/fredgroup-sjc/gdufour/Module/A2.1.6]
system image file: [LCP] disk0:c6ace-t1k9-mz.gdufour-mts5.bin
installed license: ACE-VIRT-250 ACE-SSL-05K-K9
And if I remove the access-group from the interface :
interface vlan 20
ip address 192.168.20.123 255.255.255.0
alias 192.168.20.124 255.255.255.0
peer ip address 192.168.20.121 255.255.255.0
mac-sticky enable
access-group input PERMIT-ANY
service-policy input ALLOW-ALL
service-policy input SLB-SSL
service-policy input SLB
no shutdown
switch/Admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch/Admin(config)# int vlan 20
switch/Admin(config-if)# no access-group input PERMIT-ANY
I can ping the interface (allowed by the service policy) but not ping a device behind the ACE (blocked because no access-group)
[root@Linux2 cisco]# ping 192.168.20.123
PING 192.168.20.123 (192.168.20.123) 56(84) bytes of data.
64 bytes from 192.168.20.123: icmp_seq=1 ttl=128 time=0.316 ms
64 bytes from 192.168.20.123: icmp_seq=2 ttl=128 time=0.332 ms
[root@Linux2 cisco]# ping 192.168.30.26
PING 192.168.30.26 (192.168.30.26) 56(84) bytes of data.
--- 192.168.30.26 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3002ms
If I add the access-group again :
switch/Admin(config-if)#
switch/Admin(config-if)# access-group input PERMIT-ANY
Then the ping through the ACE works:
[root@Linux2 cisco]# ping 192.168.30.26
PING 192.168.30.26 (192.168.30.26) 56(84) bytes of data.
64 bytes from 192.168.30.26: icmp_seq=4 ttl=64 time=0.300 ms
64 bytes from 192.168.30.26: icmp_seq=5 ttl=64 time=0.231 ms
Can't be more precise than that.
G.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide