https://community.cisco.com/t5/application-networking/ace-acl-issue/m-p/1377908#M28686 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P></P><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} </style> <![endif]--><P><SPAN lang="EN-US">Thanks. I've check it from different vlan and in fact the ACL does not allow the traffic to pass through the ACE. I also observed that modification made in the ACL do not impact the already established sessions. </SPAN></P><P><SPAN lang="EN-US"> </SPAN></P><P><SPAN lang="EN-US">Do you know any recommendation regarding the management access design in the ACE environment? I am wondering if it is more recommended to implement one mgmt vlan for all the ACE contexts or one mgmt vlan per context. </SPAN></P><P><SPAN lang="EN-US"> </SPAN></P><P><SPAN lang="EN-US">Thank you for the answer.</SPAN></P><P>Ragards</P><P>Lucas</P></BODY></HTML> Tue, 05 Jan 2010 12:44:12 GMT lukaszkhalil 2010-01-05T12:44:12Z https://community.cisco.com/t5/application-networking/ace-acl-issue/m-p/1377906#M28684 <P></P><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} </style> <![endif]--><P><SPAN lang="EN-US">Hello</SPAN></P><P><SPAN lang="EN-US"> </SPAN></P><P><SPAN lang="EN-US">I am trying to allow access to one of the ace contexts from out-of-band network. I'd like to secure it so nothing from the ace side should be able to connect to the OOB network, and some particular hosts should have access to the ace context by ssh.</SPAN></P><P><SPAN lang="EN-US"> </SPAN></P><P><SPAN lang="EN-US">I have already configured the appropriate management class-map that secure the SSH access to the ace, but I have a problem with securing the opposite way. I've configured the ACL that deny all ip and icmp traffic and I applied it to the outside direction of the management vlan. </SPAN></P><P><SPAN lang="EN-US"> </SPAN></P><P><SPAN lang="EN-US">Unfortunately I can still ping and access some resources in the OOB network from the ACE context.</SPAN></P><P><SPAN lang="EN-US"> </SPAN></P><P><SPAN lang="EN-US">Do you know what else should I do to make it works ?</SPAN></P><P><SPAN lang="EN-US"> </SPAN></P><P><SPAN lang="EN-US">Thanks in advance for any help.</SPAN></P><P><SPAN lang="EN-US"> </SPAN></P><P>Regards</P><P></P><P>Lucas</P> Wed, 30 Dec 2009 13:41:20 GMT https://community.cisco.com/t5/application-networking/ace-acl-issue/m-p/1377906#M28684 lukaszkhalil 2009-12-30T13:41:20Z https://community.cisco.com/t5/application-networking/ace-acl-issue/m-p/1377907#M28685 <HTML><HEAD></HEAD><BODY><P>Lucas,</P><P></P><P>the ACL is not applied to traffic generated by the ACE itself.</P><P>You should try from a device behind the ACE.</P><P></P><P>Gilles.</P></BODY></HTML> Wed, 30 Dec 2009 16:12:12 GMT https://community.cisco.com/t5/application-networking/ace-acl-issue/m-p/1377907#M28685 Gilles Dufour 2009-12-30T16:12:12Z https://community.cisco.com/t5/application-networking/ace-acl-issue/m-p/1377908#M28686 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P></P><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} </style> <![endif]--><P><SPAN lang="EN-US">Thanks. I've check it from different vlan and in fact the ACL does not allow the traffic to pass through the ACE. I also observed that modification made in the ACL do not impact the already established sessions. </SPAN></P><P><SPAN lang="EN-US"> </SPAN></P><P><SPAN lang="EN-US">Do you know any recommendation regarding the management access design in the ACE environment? I am wondering if it is more recommended to implement one mgmt vlan for all the ACE contexts or one mgmt vlan per context. </SPAN></P><P><SPAN lang="EN-US"> </SPAN></P><P><SPAN lang="EN-US">Thank you for the answer.</SPAN></P><P>Ragards</P><P>Lucas</P></BODY></HTML> Tue, 05 Jan 2010 12:44:12 GMT https://community.cisco.com/t5/application-networking/ace-acl-issue/m-p/1377908#M28686 lukaszkhalil 2010-01-05T12:44:12Z https://community.cisco.com/t5/application-networking/ace-acl-issue/m-p/1377909#M28687 <HTML><HEAD></HEAD><BODY><P>Lucas,</P><P></P><P>since inter-context communication is not allowed, you can safely share a management vlan for all contexts.</P><P>There is no risk of one context trying to access the management interface of another context.</P><P></P><P>Gilles.</P></BODY></HTML> Wed, 06 Jan 2010 09:03:35 GMT https://community.cisco.com/t5/application-networking/ace-acl-issue/m-p/1377909#M28687 Gilles Dufour 2010-01-06T09:03:35Z https://community.cisco.com/t5/application-networking/ace-acl-issue/m-p/1377910#M28688 <HTML><HEAD></HEAD><BODY><P>Thank you.</P><P></P><P>And do you know if there is a possibility that problems from one context could somehow infuence other contexts in such design ? We will have one shared vlan between all contexts. I am just wondering if it is possible that some L2 problems in one context could impact traffic being send by other contexts.</P><P></P><P>Lucas.</P></BODY></HTML> Wed, 06 Jan 2010 09:18:04 GMT https://community.cisco.com/t5/application-networking/ace-acl-issue/m-p/1377910#M28688 lukaszkhalil 2010-01-06T09:18:04Z