Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
5
Helpful
3
Replies

an access-list & class-map for mgmt access

axfalk
Level 1
Level 1

‎08-21-2009 05:48 PM

We're configuring a brand new ACE Control Module and I understand we need to configure both, an access-list and class-map/policy-map to allow access to the ACE. Can someone please tell me why both of these are required?

-Thanks

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎08-21-2009 10:36 PM

By default all traffic is denied.

When configuring an access-group OR a service-policy you permit some traffic.

So, this is a OR.

Gilles.

0 Helpful

axfalk
Level 1
Level 1
In response to Gilles Dufour

‎08-24-2009 08:51 AM

Thanks for your response. We have been told by a Cisco eng that starting with ver. A2(1.5), all traffic is allowed, so we would need both. In addition, every sample config that I have seen had both, an ACL and class matches.

Thanks again.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to axfalk

‎08-24-2009 11:14 PM

I'm running the future A2(1.6) image

loader: Version 12.2[118]

system: Version A2(1.6) [build 3.0(0)A2(1.5.48.gdufour) gdufour_09:06:40-20

09/08/11_/ws/fredgroup-sjc/gdufour/Module/A2.1.6]

system image file: [LCP] disk0:c6ace-t1k9-mz.gdufour-mts5.bin

installed license: ACE-VIRT-250 ACE-SSL-05K-K9

And if I remove the access-group from the interface :

interface vlan 20

ip address 192.168.20.123 255.255.255.0

alias 192.168.20.124 255.255.255.0

peer ip address 192.168.20.121 255.255.255.0

mac-sticky enable

access-group input PERMIT-ANY

service-policy input ALLOW-ALL

service-policy input SLB-SSL

service-policy input SLB

no shutdown

switch/Admin# conf t

Enter configuration commands, one per line. End with CNTL/Z.

switch/Admin(config)# int vlan 20

switch/Admin(config-if)# no access-group input PERMIT-ANY

I can ping the interface (allowed by the service policy) but not ping a device behind the ACE (blocked because no access-group)

[root@Linux2 cisco]# ping 192.168.20.123

PING 192.168.20.123 (192.168.20.123) 56(84) bytes of data.

64 bytes from 192.168.20.123: icmp_seq=1 ttl=128 time=0.316 ms

64 bytes from 192.168.20.123: icmp_seq=2 ttl=128 time=0.332 ms

[root@Linux2 cisco]# ping 192.168.30.26

PING 192.168.30.26 (192.168.30.26) 56(84) bytes of data.

--- 192.168.30.26 ping statistics ---

4 packets transmitted, 0 received, 100% packet loss, time 3002ms

If I add the access-group again :

switch/Admin(config-if)#

switch/Admin(config-if)# access-group input PERMIT-ANY

Then the ping through the ACE works:

[root@Linux2 cisco]# ping 192.168.30.26

PING 192.168.30.26 (192.168.30.26) 56(84) bytes of data.

64 bytes from 192.168.30.26: icmp_seq=4 ttl=64 time=0.300 ms

64 bytes from 192.168.30.26: icmp_seq=5 ttl=64 time=0.231 ms

Can't be more precise than that.

G.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents