cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1295
Views
0
Helpful
3
Replies

Traffic flow between two Vlan interfaces in the same context.

mldorsey1
Level 1
Level 1

I have two vlan interfaces in the same context C2.

interface vlan A

  description VIP_App

  ip address 10.2.1.253 255.255.255.0

  alias 10.2.1.4 255.255.255.0

  peer ip address 10.2.1.254 255.255.255.0

  access-group input Out_Acc_PB

  service-policy input POLICY

  no shutdown

interface vlan B

  description App

  ip address 10.2.12.253 255.255.255.0

  alias 10.2.12.4 255.255.255.0

  peer ip address 10.2.12.254 255.255.255.0

  access-group input In_Acc_PB

The host (10.2.12.11) on Vlan B would like to reach the VIP (10.2.1.5) on Vlan A. I can see the ACL (In_Acc_PB) counters incrementing. I do not see the traffic arrive on VLAN A. When a place a service policy on the VLAN B interface the traffic can reach VLAN A. Why is a service policy needed to allow traffic from one Vlan interface to another in the same context?

3 Replies 3

Nicolas Fournier
Cisco Employee
Cisco Employee

Hi,

AFAIK the ACE will only answer to a request targeted to a VIP if the traffic hits the load-balancer on the interface on which the service-policy for this VIP is configured.

For instance in your config, only the traffic coming to the ACE on vlan A will be able to access the VIP.

If you want both VLANs to be able to access the VIP, you can add the same service-policy to both interfaces.

Regards,

Nicolas

Thanks Nicolas

Placing the same service policy does get the traffic to work. However I still do not understand why the traffic from Vlan B does not go to Vlan interface A without the service policy applied to Vlan B.

This ACE is configured in router mode. The ACE has the route to the 10.2.1.x/24 network via Vlan A. The service policy is applied to Vlan A. It was my thought that the traffic should leave Vlan B and arrive on the Vlan A interface. Once there the service policy would be used to access the VIP.

Hi,

It is behaving like this for security reasons.

We only want to provide access to the VIP if we are reaching the ACE on the same vlan to prevent rogue access to VIP if we are coming from other interfaces.

Regards,

Nicolas

Review Cisco Networking for a $25 gift card