Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE Mod20 interface vlan

Hi,

is it possible to setup the service-policy on the server side vlan interface and still have it available for clients with a client subnet ip?

What i'm currently trying it to reach is the other side through the ace. And ping the interface vlan's in a context. But i don't get any answer.

Trying to reach the interface vlan adress 2.1.1.1 from a host in vlan1, but with no success. I can ping the interface vlan 1 though and can route through the module also.

Setup is simple as that:

access-list anyone line 18 extended permit ip any any

interface vlan 1

desc client vlan

  ip address 1.1.1.1 255.255.255.0
  alias 1.1.1.2 255.255.255.0
  access-group input anyone
  service-policy input remote-mgmt
  no shutdown
interface vlan 2

desc server vlan

  ip address 2.1.1.1 255.255.255.0
   alias 2.1.1.2 255.255.255.0
   access-group input anyone
  service-policy input remote-mgmt
  no shutdown

Greetings,

Frank

3 REPLIES
Silver

Re: ACE Mod20 interface vlan

Hi Frank,

Service-policies need to be applied to the incoming/ingress interface, hence the 'input' keyword when applying them.  As for ping, by design, the ACE will not allow you to ping a remote interface on the ACE.  In other words, a host on VLAN 1 will be able to ping IP 1.1.1.1, but not 2.1.1.1.  A host on VLAN 2 will be able to ping 2.1.1.1, but not 1.1.1.1.

Hope this helps,

Sean

New Member

Re: ACE Mod20 interface vlan

Hi Sean,

Thanks, that was the answer i was looking for. Only incoming traffic for an interface that is in the incoming direction, is a possible connect.

This is a design limitation or feature.

It's possible to configure global service-policies, to have the VIP available on any interface by default also.

Thanks a lot,

Frank

Silver

Re: ACE Mod20 interface vlan

Hi Frank,

This is a design limitation or feature.

Depends on who you ask.  Officially, it is a secuirty feature.

It's possible to configure global service-policies, to have the VIP available on any interface by default also.

This is a true statement.

- Sean

222
Views
10
Helpful
3
Replies
CreatePlease login to create content