ACE ACL issue

Unanswered Question
Dec 30th, 2009

/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hello

I am trying to allow access to one of the ace contexts from out-of-band network. I'd like to secure it so nothing from the ace side should be able to connect to the OOB network, and some particular hosts should have access to the ace context by ssh.

I have already configured the appropriate management class-map that secure the SSH access to the ace, but I have a problem with securing the opposite way. I've configured the ACL that deny all ip and icmp traffic and I applied it to the outside direction of the management vlan.

Unfortunately I can still ping and access some resources in the OOB network from the ACE context.

Do you know what else should I do to make it works ?

Thanks in advance for any help.

Regards

Lucas

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Wed, 12/30/2009 - 08:12

Lucas,

the ACL is not applied to traffic generated by the ACE itself.

You should try from a device behind the ACE.

Gilles.

lukaszkhalil Tue, 01/05/2010 - 04:44

Hello

/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Thanks. I've check it from different vlan and in fact the ACL does not allow the traffic to pass through the ACE. I also observed that modification made in the ACL do not impact the already established sessions.

Do you know any recommendation regarding the management access design in the ACE environment? I am wondering if it is more recommended to implement one mgmt vlan for all the ACE contexts or one mgmt vlan per context.

Thank you for the answer.

Ragards

Lucas

Gilles Dufour Wed, 01/06/2010 - 01:03

Lucas,

since inter-context communication is not allowed, you can safely share a management vlan for all contexts.

There is no risk of one context trying to access the management interface of another context.

Gilles.

lukaszkhalil Wed, 01/06/2010 - 01:18

Thank you.

And do you know if there is a possibility that problems from one context could somehow infuence other contexts in such design ? We will have one shared vlan between all contexts. I am just wondering if it is possible that some L2 problems in one context could impact traffic being send by other contexts.

Lucas.

Actions

This Discussion