ACE Mod20 interface vlan

c-fwagner · ‎03-17-2010

Hi,

is it possible to setup the service-policy on the server side vlan interface and still have it available for clients with a client subnet ip?

What i'm currently trying it to reach is the other side through the ace. And ping the interface vlan's in a context. But i don't get any answer.

Trying to reach the interface vlan adress 2.1.1.1 from a host in vlan1, but with no success. I can ping the interface vlan 1 though and can route through the module also.

Setup is simple as that:

access-list anyone line 18 extended permit ip any any

interface vlan 1

desc client vlan

ip address 1.1.1.1 255.255.255.0
alias 1.1.1.2 255.255.255.0
access-group input anyone
service-policy input remote-mgmt
no shutdown
interface vlan 2

desc server vlan

ip address 2.1.1.1 255.255.255.0
alias 2.1.1.2 255.255.255.0
access-group input anyone
service-policy input remote-mgmt
no shutdown

Greetings,

Frank

Sean Merrow · ‎03-18-2010

Hi Frank,

Service-policies need to be applied to the incoming/ingress interface, hence the 'input' keyword when applying them. As for ping, by design, the ACE will not allow you to ping a remote interface on the ACE. In other words, a host on VLAN 1 will be able to ping IP 1.1.1.1, but not 2.1.1.1. A host on VLAN 2 will be able to ping 2.1.1.1, but not 1.1.1.1.

Hope this helps,

Sean

c-fwagner · ‎03-18-2010

Hi Sean,

Thanks, that was the answer i was looking for. Only incoming traffic for an interface that is in the incoming direction, is a possible connect.

This is a design limitation or feature.

It's possible to configure global service-policies, to have the VIP available on any interface by default also.

Thanks a lot,

Frank

Sean Merrow · ‎03-18-2010

Hi Frank,

This is a design limitation or feature.

Depends on who you ask. Officially, it is a secuirty feature.

It's possible to configure global service-policies, to have the VIP available on any interface by default also.

This is a true statement.

- Sean