06-27-2007 01:33 AM
I tried to make a VIP to route traffic from one VLAN to another :
class-map match-all DMZ.FIN.DIRECT
3 match virtual-address 212.x.x.0 255.255.255.240 any
policy-map type loadbalance first-match DMZ.FIN.DIRECT
class class-default
forward
policy-map multi-match DMZ.FIN.DIRECT_FORWARD
class DMZ.FIN.DIRECT
loadbalance vip inservice
loadbalance policy DMZ.FIN.DIRECT
My machine sits in vlan 90: ip 172.16.9.200 GW 172.16.9.193 (the ip of the ACE).
So I added an ACL to the VLAN 90 interface :
access-list VIPS line 4 extended permit ip any 212.x.x.0 255.255.255.240
interface vlan 90
ip address 172.16.9.193 255.255.255.192
access-group input VIPS
service-policy input DMZ.FIN.DIRECT_FORWARD
Note that the ACE has an interface in the second VLAN;
interface vlan 80
ip address 212.x.x.1 255.255.255.240
no shutdown
So far, everything is fine. Just out of curiosity, I removed the line
service-policy input DMZ.FIN.DIRECT_FORWARD
from the vlan interface.
and I can still access a machine in 212.63.226.0
So I tried the same thing, but without a directly connected interface on the ace, just a route with a next hop. All the same, it routes everything.
If it routes everything, I don't understand the use of
DMZ.FIN.DIRECT
class class-default
forward
Or is there some kind of secure mode that I need to setup in order to control what's routed and what's not ?
Here the complete config :
06-27-2007 06:12 AM
the ACE module will route traffic that does not hit a vserver and that is permitted by acl.
There is no need of policy for that unlike the CSM.
Gilles.
06-27-2007 06:27 AM
thanks this solves my issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide