Solved: Management service-policy applied globally on ACE

Paul Whitmore · ‎04-16-2013

Hi Guy's,

I was wondering if anyone can help me to understand the impact of performing the following actions please? Will I loose remote access and require local console access?

- We currently have a number of ACE appliances installed at remote locations configured with a management service-policy allowing remote connections to the devices i.e ssh, icmp etc.. This service-policy is applied globally which covers all interfaces in that particular context. However I need to apply the service-policy to a specific interface rather than globally.

Can I do this in parallel with the same policy-map applied globally AND on the specific interface or will I need to remove the global service-policy first then add it to the interface and if so, will I lose remote connectivity when I do this please?

Thanks in advance,

Paul.

Kanwaljeet Singh · ‎04-16-2013

Hi Paul,

I just checked on my lab device and it seems that you will have to remove the global policy and only then you can apply it to an appropriate interface which means that you will lose access to the device.

switch/Kanwal(config)# service-policy input ManagementPolicy

switch/Kanwal(config)# interface vlan 500

switch/Kanwal(config-if)# service-policy input ManagementPolicy

Error: policy has already been applied globally; cannot apply locally

You can create a new policy using the same class-map and apply it to the interface and then you can remove the global policy.

In below example i just changed the name of existing policy which is applied globally and used the same class-map. It should work fine.

switch/Kanwal(config-if)# switch/Kanwal(config)# interface vlan 500
switch/Kanwal(config-if)# service-policy input Man
ManagementPolicy ManagementPolicy1
switch/Kanwal(config-if)# service-policy input ManagementPolicy1
switch/Kanwal(config-if)#

Let me know if you have any questions.

Regards,

Kanwal

View solution in original post

Kanwaljeet Singh · ‎04-16-2013

Hi Paul,

I just checked on my lab device and it seems that you will have to remove the global policy and only then you can apply it to an appropriate interface which means that you will lose access to the device.

switch/Kanwal(config)# service-policy input ManagementPolicy

switch/Kanwal(config)# interface vlan 500

switch/Kanwal(config-if)# service-policy input ManagementPolicy

Error: policy has already been applied globally; cannot apply locally

You can create a new policy using the same class-map and apply it to the interface and then you can remove the global policy.

In below example i just changed the name of existing policy which is applied globally and used the same class-map. It should work fine.

switch/Kanwal(config-if)# switch/Kanwal(config)# interface vlan 500
switch/Kanwal(config-if)# service-policy input Man
ManagementPolicy ManagementPolicy1
switch/Kanwal(config-if)# service-policy input ManagementPolicy1
switch/Kanwal(config-if)#

Let me know if you have any questions.

Regards,

Kanwal

Paul Whitmore · ‎04-17-2013

Thank you very much for your help Kanwal. I shall create a new policy-map named slightly differently using the existing class-map and add that to the interface then remove the global policy. Thanks again.

Regards,

Paul.