Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
5
Helpful
3
Replies

an access-list & class-map for mgmt access

axfalk
Level 1
Level 1

‎08-21-2009 05:48 PM

We're configuring a brand new ACE Control Module and I understand we need to configure both, an access-list and class-map/policy-map to allow access to the ACE. Can someone please tell me why both of these are required?

-Thanks

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎08-21-2009 10:36 PM

By default all traffic is denied.

When configuring an access-group OR a service-policy you permit some traffic.

So, this is a OR.

Gilles.

0 Helpful

axfalk
Level 1
Level 1
In response to Gilles Dufour

‎08-24-2009 08:51 AM

Thanks for your response. We have been told by a Cisco eng that starting with ver. A2(1.5), all traffic is allowed, so we would need both. In addition, every sample config that I have seen had both, an ACL and class matches.

Thanks again.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to axfalk

‎08-24-2009 11:14 PM

I'm running the future A2(1.6) image

loader: Version 12.2[118]

system: Version A2(1.6) [build 3.0(0)A2(1.5.48.gdufour) gdufour_09:06:40-20

09/08/11_/ws/fredgroup-sjc/gdufour/Module/A2.1.6]

system image file: [LCP] disk0:c6ace-t1k9-mz.gdufour-mts5.bin

installed license: ACE-VIRT-250 ACE-SSL-05K-K9

And if I remove the access-group from the interface :

interface vlan 20

ip address 192.168.20.123 255.255.255.0

alias 192.168.20.124 255.255.255.0

peer ip address 192.168.20.121 255.255.255.0

mac-sticky enable

access-group input PERMIT-ANY

service-policy input ALLOW-ALL

service-policy input SLB-SSL

service-policy input SLB

no shutdown

switch/Admin# conf t

Enter configuration commands, one per line. End with CNTL/Z.

switch/Admin(config)# int vlan 20

switch/Admin(config-if)# no access-group input PERMIT-ANY

I can ping the interface (allowed by the service policy) but not ping a device behind the ACE (blocked because no access-group)

[root@Linux2 cisco]# ping 192.168.20.123

PING 192.168.20.123 (192.168.20.123) 56(84) bytes of data.

64 bytes from 192.168.20.123: icmp_seq=1 ttl=128 time=0.316 ms

64 bytes from 192.168.20.123: icmp_seq=2 ttl=128 time=0.332 ms

[root@Linux2 cisco]# ping 192.168.30.26

PING 192.168.30.26 (192.168.30.26) 56(84) bytes of data.

--- 192.168.30.26 ping statistics ---

4 packets transmitted, 0 received, 100% packet loss, time 3002ms

If I add the access-group again :

switch/Admin(config-if)#

switch/Admin(config-if)# access-group input PERMIT-ANY

Then the ping through the ACE works:

[root@Linux2 cisco]# ping 192.168.30.26

PING 192.168.30.26 (192.168.30.26) 56(84) bytes of data.

64 bytes from 192.168.30.26: icmp_seq=4 ttl=64 time=0.300 ms

64 bytes from 192.168.30.26: icmp_seq=5 ttl=64 time=0.231 ms

Can't be more precise than that.

G.

Customers Also Viewed These Support Documents