08-21-2009 05:48 PM
We're configuring a brand new ACE Control Module and I understand we need to configure both, an access-list and class-map/policy-map to allow access to the ACE. Can someone please tell me why both of these are required?
-Thanks
08-21-2009 10:36 PM
By default all traffic is denied.
When configuring an access-group OR a service-policy you permit some traffic.
So, this is a OR.
Gilles.
08-24-2009 08:51 AM
Thanks for your response. We have been told by a Cisco eng that starting with ver. A2(1.5), all traffic is allowed, so we would need both. In addition, every sample config that I have seen had both, an ACL and class matches.
Thanks again.
08-24-2009 11:14 PM
I'm running the future A2(1.6) image
loader: Version 12.2[118]
system: Version A2(1.6) [build 3.0(0)A2(1.5.48.gdufour) gdufour_09:06:40-20
09/08/11_/ws/fredgroup-sjc/gdufour/Module/A2.1.6]
system image file: [LCP] disk0:c6ace-t1k9-mz.gdufour-mts5.bin
installed license: ACE-VIRT-250 ACE-SSL-05K-K9
And if I remove the access-group from the interface :
interface vlan 20
ip address 192.168.20.123 255.255.255.0
alias 192.168.20.124 255.255.255.0
peer ip address 192.168.20.121 255.255.255.0
mac-sticky enable
access-group input PERMIT-ANY
service-policy input ALLOW-ALL
service-policy input SLB-SSL
service-policy input SLB
no shutdown
switch/Admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch/Admin(config)# int vlan 20
switch/Admin(config-if)# no access-group input PERMIT-ANY
I can ping the interface (allowed by the service policy) but not ping a device behind the ACE (blocked because no access-group)
[root@Linux2 cisco]# ping 192.168.20.123
PING 192.168.20.123 (192.168.20.123) 56(84) bytes of data.
64 bytes from 192.168.20.123: icmp_seq=1 ttl=128 time=0.316 ms
64 bytes from 192.168.20.123: icmp_seq=2 ttl=128 time=0.332 ms
[root@Linux2 cisco]# ping 192.168.30.26
PING 192.168.30.26 (192.168.30.26) 56(84) bytes of data.
--- 192.168.30.26 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3002ms
If I add the access-group again :
switch/Admin(config-if)#
switch/Admin(config-if)# access-group input PERMIT-ANY
Then the ping through the ACE works:
[root@Linux2 cisco]# ping 192.168.30.26
PING 192.168.30.26 (192.168.30.26) 56(84) bytes of data.
64 bytes from 192.168.30.26: icmp_seq=4 ttl=64 time=0.300 ms
64 bytes from 192.168.30.26: icmp_seq=5 ttl=64 time=0.231 ms
Can't be more precise than that.
G.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: