ACE Mod20 interface vlan

Unanswered Question
Mar 17th, 2010

Hi,


is it possible to setup the service-policy on the server side vlan interface and still have it available for clients with a client subnet ip?


What i'm currently trying it to reach is the other side through the ace. And ping the interface vlan's in a context. But i don't get any answer.


Trying to reach the interface vlan adress 2.1.1.1 from a host in vlan1, but with no success. I can ping the interface vlan 1 though and can route through the module also.


Setup is simple as that:


access-list anyone line 18 extended permit ip any any


interface vlan 1

desc client vlan

  ip address 1.1.1.1 255.255.255.0
  alias 1.1.1.2 255.255.255.0
  access-group input anyone
  service-policy input remote-mgmt
  no shutdown
interface vlan 2

desc server vlan

  ip address 2.1.1.1 255.255.255.0
   alias 2.1.1.2 255.255.255.0
   access-group input anyone
  service-policy input remote-mgmt
  no shutdown


Greetings,


Frank

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Sean Merrow Thu, 03/18/2010 - 08:37

Hi Frank,


Service-policies need to be applied to the incoming/ingress interface, hence the 'input' keyword when applying them.  As for ping, by design, the ACE will not allow you to ping a remote interface on the ACE.  In other words, a host on VLAN 1 will be able to ping IP 1.1.1.1, but not 2.1.1.1.  A host on VLAN 2 will be able to ping 2.1.1.1, but not 1.1.1.1.


Hope this helps,

Sean

c-fwagner Thu, 03/18/2010 - 09:16

Hi Sean,


Thanks, that was the answer i was looking for. Only incoming traffic for an interface that is in the incoming direction, is a possible connect.


This is a design limitation or feature.


It's possible to configure global service-policies, to have the VIP available on any interface by default also.


Thanks a lot,


Frank

Sean Merrow Thu, 03/18/2010 - 09:21

Hi Frank,


This is a design limitation or feature.


Depends on who you ask.  Officially, it is a secuirty feature.


It's possible to configure global service-policies, to have the VIP available on any interface by default also.


This is a true statement.


- Sean

Actions

This Discussion