Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1295
Views
0
Helpful
3
Replies

Traffic flow between two Vlan interfaces in the same context.

mldorsey1
Level 1
Level 1

‎07-25-2011 12:17 PM

I have two vlan interfaces in the same context C2.

interface vlan A

  description VIP_App

  ip address 10.2.1.253 255.255.255.0

  alias 10.2.1.4 255.255.255.0

  peer ip address 10.2.1.254 255.255.255.0

  access-group input Out_Acc_PB

  service-policy input POLICY

  no shutdown

interface vlan B

  description App

  ip address 10.2.12.253 255.255.255.0

  alias 10.2.12.4 255.255.255.0

  peer ip address 10.2.12.254 255.255.255.0

  access-group input In_Acc_PB

The host (10.2.12.11) on Vlan B would like to reach the VIP (10.2.1.5) on Vlan A. I can see the ACL (In_Acc_PB) counters incrementing. I do not see the traffic arrive on VLAN A. When a place a service policy on the VLAN B interface the traffic can reach VLAN A. Why is a service policy needed to allow traffic from one Vlan interface to another in the same context?

Labels:
0 Helpful
3 Replies 3

Nicolas Fournier
Cisco Employee
Cisco Employee

‎07-25-2011 01:16 PM

Hi,

AFAIK the ACE will only answer to a request targeted to a VIP if the traffic hits the load-balancer on the interface on which the service-policy for this VIP is configured.

For instance in your config, only the traffic coming to the ACE on vlan A will be able to access the VIP.

If you want both VLANs to be able to access the VIP, you can add the same service-policy to both interfaces.

Regards,

Nicolas

0 Helpful

mldorsey1
Level 1
Level 1
In response to Nicolas Fournier

‎07-26-2011 04:55 AM

Thanks Nicolas

Placing the same service policy does get the traffic to work. However I still do not understand why the traffic from Vlan B does not go to Vlan interface A without the service policy applied to Vlan B.

This ACE is configured in router mode. The ACE has the route to the 10.2.1.x/24 network via Vlan A. The service policy is applied to Vlan A. It was my thought that the traffic should leave Vlan B and arrive on the Vlan A interface. Once there the service policy would be used to access the VIP.

0 Helpful

Nicolas Fournier
Cisco Employee
Cisco Employee
In response to mldorsey1

‎07-26-2011 05:01 AM

Hi,

It is behaving like this for security reasons.

We only want to provide access to the VIP if we are reaching the ACE on the same vlan to prevent rogue access to VIP if we are coming from other interfaces.

Regards,

Nicolas

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card