Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE ACL issue

Hello

I am trying to allow access to one of the ace contexts from out-of-band network. I'd like to secure it so nothing from the ace side should be able to connect to the OOB network, and some particular hosts should have access to the ace context by ssh.

I have already configured the appropriate management class-map that secure the SSH access to the ace, but I have a problem with securing the opposite way. I've configured the ACL that deny all ip and icmp traffic and I applied it to the outside direction of the management vlan.

Unfortunately I can still ping and access some resources in the OOB network from the ACE context.

Do you know what else should I do to make it works ?

Thanks in advance for any help.

Regards

Lucas

4 REPLIES
Cisco Employee

Re: ACE ACL issue

Lucas,

the ACL is not applied to traffic generated by the ACE itself.

You should try from a device behind the ACE.

Gilles.

New Member

Re: ACE ACL issue

Hello

Thanks. I've check it from different vlan and in fact the ACL does not allow the traffic to pass through the ACE. I also observed that modification made in the ACL do not impact the already established sessions.

Do you know any recommendation regarding the management access design in the ACE environment? I am wondering if it is more recommended to implement one mgmt vlan for all the ACE contexts or one mgmt vlan per context.

Thank you for the answer.

Ragards

Lucas

Cisco Employee

Re: ACE ACL issue

Lucas,

since inter-context communication is not allowed, you can safely share a management vlan for all contexts.

There is no risk of one context trying to access the management interface of another context.

Gilles.

New Member

Re: ACE ACL issue

Thank you.

And do you know if there is a possibility that problems from one context could somehow infuence other contexts in such design ? We will have one shared vlan between all contexts. I am just wondering if it is possible that some L2 problems in one context could impact traffic being send by other contexts.

Lucas.

313
Views
0
Helpful
4
Replies
CreatePlease login to create content