https://community.cisco.com/t5/application-networking/traffic-flow-between-two-vlan-interfaces-in-the-same-context/m-p/1673213#M33733 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>AFAIK the ACE will only answer to a request targeted to a VIP if the traffic hits the load-balancer on the interface on which the service-policy for this VIP is configured.</P><P>For instance in your config, only the traffic coming to the ACE on vlan A will be able to access the VIP.</P><P>If you want both VLANs to be able to access the VIP, you can add the same service-policy to both interfaces.</P><P></P><P>Regards,</P><P>Nicolas</P></BODY></HTML> Mon, 25 Jul 2011 20:16:01 GMT Nicolas Fournier 2011-07-25T20:16:01Z https://community.cisco.com/t5/application-networking/traffic-flow-between-two-vlan-interfaces-in-the-same-context/m-p/1673212#M33732 <P>I have two vlan interfaces in the same context C2.</P><P></P><P>interface vlan A</P><P>&nbsp; description VIP_App</P><P>&nbsp; ip address 10.2.1.253 255.255.255.0</P><P>&nbsp; alias 10.2.1.4 255.255.255.0</P><P>&nbsp; peer ip address 10.2.1.254 255.255.255.0</P><P>&nbsp; access-group input Out_Acc_PB</P><P>&nbsp; service-policy input POLICY</P><P>&nbsp; no shutdown</P><P></P><P>interface vlan B</P><P>&nbsp; description App</P><P>&nbsp; ip address 10.2.12.253 255.255.255.0</P><P>&nbsp; alias 10.2.12.4 255.255.255.0</P><P>&nbsp; peer ip address 10.2.12.254 255.255.255.0</P><P>&nbsp; access-group input In_Acc_PB</P><P></P><P>The host (10.2.12.11) on Vlan B would like to reach the VIP (10.2.1.5) on Vlan A. I can see the ACL (In_Acc_PB) counters incrementing. I do not see the traffic arrive on VLAN A. When a place a service policy on the VLAN B interface the traffic can reach VLAN A. Why is a service policy needed to allow traffic from one Vlan interface to another in the same context? </P> Mon, 25 Jul 2011 19:17:15 GMT https://community.cisco.com/t5/application-networking/traffic-flow-between-two-vlan-interfaces-in-the-same-context/m-p/1673212#M33732 mldorsey1 2011-07-25T19:17:15Z https://community.cisco.com/t5/application-networking/traffic-flow-between-two-vlan-interfaces-in-the-same-context/m-p/1673213#M33733 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>AFAIK the ACE will only answer to a request targeted to a VIP if the traffic hits the load-balancer on the interface on which the service-policy for this VIP is configured.</P><P>For instance in your config, only the traffic coming to the ACE on vlan A will be able to access the VIP.</P><P>If you want both VLANs to be able to access the VIP, you can add the same service-policy to both interfaces.</P><P></P><P>Regards,</P><P>Nicolas</P></BODY></HTML> Mon, 25 Jul 2011 20:16:01 GMT https://community.cisco.com/t5/application-networking/traffic-flow-between-two-vlan-interfaces-in-the-same-context/m-p/1673213#M33733 Nicolas Fournier 2011-07-25T20:16:01Z https://community.cisco.com/t5/application-networking/traffic-flow-between-two-vlan-interfaces-in-the-same-context/m-p/1673214#M33734 <HTML><HEAD></HEAD><BODY><P> Thanks Nicolas</P><P></P><P>Placing the same service policy does get the traffic to work. However I still do not understand why the traffic from Vlan B does not go to Vlan interface A without the service policy applied to Vlan B. </P><P></P><P>This ACE is configured in router mode. The ACE has the route to the 10.2.1.x/24 network via Vlan A. The service policy is applied to Vlan A. It was my thought that the traffic should leave Vlan B and arrive on the Vlan A interface. Once there the service policy would be used to access the VIP.</P></BODY></HTML> Tue, 26 Jul 2011 11:55:49 GMT https://community.cisco.com/t5/application-networking/traffic-flow-between-two-vlan-interfaces-in-the-same-context/m-p/1673214#M33734 mldorsey1 2011-07-26T11:55:49Z https://community.cisco.com/t5/application-networking/traffic-flow-between-two-vlan-interfaces-in-the-same-context/m-p/1673215#M33735 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It is behaving like this for security reasons.</P><P>We only want to provide access to the VIP if we are reaching the ACE on the same vlan to prevent rogue access to VIP if we are coming from other interfaces.</P><P></P><P>Regards,</P><P>Nicolas</P></BODY></HTML> Tue, 26 Jul 2011 12:01:01 GMT https://community.cisco.com/t5/application-networking/traffic-flow-between-two-vlan-interfaces-in-the-same-context/m-p/1673215#M33735 Nicolas Fournier 2011-07-26T12:01:01Z