I at the end of my rope (or cable) on what should be something simple: I cannot get direct-server access to work. My ACLs allow all IP traffic; I've tried class-maps and policy-maps to inspect ICMP, applied everything in the right places (I think). Can someone provide a config snippet showing the pertinent parts to allowing pings and other LAN protocols through directly to servers for management purposes and also for server-to-server traffic that is necessary for such things as a Windows web server (rserver) talking to a domain-controller located in a non-ACE VLAN.
Solved my own problem. Without the server-side VLAN going through the ACE (i.e., I removed the VLAN from the svclc vlan-group and configured an IP on the VLAN on the MSFC), then direct-server access worked fine. With this VLAN behind the ACE it did not work when trying to reach one of my rservers that actually connected via a L2-only access switch but I could reach a different rserver that was connected on a second access switch. The ACE modules sit in aggregation switches that then are trunked down to the access switches.
One would think the problem was with the ACE.
I discovered that one of the access switches had an older IOS ver than the other: 12.2(17d)SXB11a instead 12.2(18)SXF7. Now I knew IOS had to be at 12.2(18) just to see the ACE in the agg switches, but I did not think the version was so important for the access switches that are just doing only switching.
I decided to bring up the one access switch to 12.2(18) and then the ACE was then able to reach the one rserver I had trouble reaching.
Again, with the ACE removed from the server-side VLAN, I could reach rservers on both access switches.
Strange problem or is it known that all L2 switches must be at a given rev to support the ACE? I don't see how the ACE which is one switch removed from an access-only switch would or should do anything different to a frame that could affect the switching through downstream switches.