cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
503
Views
0
Helpful
4
Replies

ACE ACL issue

lukaszkhalil
Level 1
Level 1

Hello

I am trying to allow access to one of the ace contexts from out-of-band network. I'd like to secure it so nothing from the ace side should be able to connect to the OOB network, and some particular hosts should have access to the ace context by ssh.

I have already configured the appropriate management class-map that secure the SSH access to the ace, but I have a problem with securing the opposite way. I've configured the ACL that deny all ip and icmp traffic and I applied it to the outside direction of the management vlan.

Unfortunately I can still ping and access some resources in the OOB network from the ACE context.

Do you know what else should I do to make it works ?

Thanks in advance for any help.

Regards

Lucas

4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

Lucas,

the ACL is not applied to traffic generated by the ACE itself.

You should try from a device behind the ACE.

Gilles.

Hello

Thanks. I've check it from different vlan and in fact the ACL does not allow the traffic to pass through the ACE. I also observed that modification made in the ACL do not impact the already established sessions.

Do you know any recommendation regarding the management access design in the ACE environment? I am wondering if it is more recommended to implement one mgmt vlan for all the ACE contexts or one mgmt vlan per context.

Thank you for the answer.

Ragards

Lucas

Lucas,

since inter-context communication is not allowed, you can safely share a management vlan for all contexts.

There is no risk of one context trying to access the management interface of another context.

Gilles.

Thank you.

And do you know if there is a possibility that problems from one context could somehow infuence other contexts in such design ? We will have one shared vlan between all contexts. I am just wondering if it is possible that some L2 problems in one context could impact traffic being send by other contexts.

Lucas.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: