Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

an access-list & class-map for mgmt access

We're configuring a brand new ACE Control Module and I understand we need to configure both, an access-list and class-map/policy-map to allow access to the ACE. Can someone please tell me why both of these are required?


Cisco Employee

Re: an access-list & class-map for mgmt access

By default all traffic is denied.

When configuring an access-group OR a service-policy you permit some traffic.

So, this is a OR.


New Member

Re: an access-list & class-map for mgmt access

Thanks for your response. We have been told by a Cisco eng that starting with ver. A2(1.5), all traffic is allowed, so we would need both. In addition, every sample config that I have seen had both, an ACL and class matches.

Thanks again.

Cisco Employee

Re: an access-list & class-map for mgmt access

I'm running the future A2(1.6) image

loader: Version 12.2[118]

system: Version A2(1.6) [build 3.0(0)A2(1.5.48.gdufour) gdufour_09:06:40-20


system image file: [LCP] disk0:c6ace-t1k9-mz.gdufour-mts5.bin

installed license: ACE-VIRT-250 ACE-SSL-05K-K9

And if I remove the access-group from the interface :

interface vlan 20

ip address


peer ip address

mac-sticky enable

access-group input PERMIT-ANY

service-policy input ALLOW-ALL

service-policy input SLB-SSL

service-policy input SLB

no shutdown

switch/Admin# conf t

Enter configuration commands, one per line. End with CNTL/Z.

switch/Admin(config)# int vlan 20

switch/Admin(config-if)# no access-group input PERMIT-ANY

I can ping the interface (allowed by the service policy) but not ping a device behind the ACE (blocked because no access-group)

[root@Linux2 cisco]# ping

PING ( 56(84) bytes of data.

64 bytes from icmp_seq=1 ttl=128 time=0.316 ms

64 bytes from icmp_seq=2 ttl=128 time=0.332 ms

[root@Linux2 cisco]# ping

PING ( 56(84) bytes of data.

--- ping statistics ---

4 packets transmitted, 0 received, 100% packet loss, time 3002ms

If I add the access-group again :


switch/Admin(config-if)# access-group input PERMIT-ANY

Then the ping through the ACE works:

[root@Linux2 cisco]# ping

PING ( 56(84) bytes of data.

64 bytes from icmp_seq=4 ttl=64 time=0.300 ms

64 bytes from icmp_seq=5 ttl=64 time=0.231 ms

Can't be more precise than that.