Why can’t I ping my ACE module ? Diatribe on service-policy.

I have had this come up a couple of times and thought I would put this here for other people who are new to the Cisco Application Control Engine. You install the module but you can’t ping or telnet / SSH to it even though you have it set correctly ?

Configuration

ACE# sh run
Generating configuration....

logging enable
logging console 7
logging buffered 5
logging monitor 5

access-list EVERYONE line 8 extended permit ip any any
access-list EVERYONE line 16 extended permit icmp any any

class-map type management match-any REMOTE_ACCESS_PROTOCOLS
10 match protocol ssh any
20 match protocol telnet any
30 match protocol icmp any
40 match protocol https any

policy-map type management first-match REMOTE_MGMT_POLICY

service-policy input REMOTE_MGMT_POLICY

interface vlan 100
ip address 198.18.1.100 255.255.255.0
alias 198.18.1.101 255.255.255.0
peer ip address 198.18.1.102 255.255.255.0
access-group input EVERYONE
access-group output EVERYONE
no shutdown
interface vlan 649
ip address 198.18.2.131 255.255.255.128
alias 198.18.2.130 255.255.255.128
peer ip address 198.18.2.132 255.255.255.128
access-group input EVERYONE
no shutdown

ip route 0.0.0.0 0.0.0.0 198.18.1.1

ACE#

Now I can see the neighbour in the ARP cache, so I know that there is a physical connection
Switch#sh arp | i 198.18.1.203
Internet 198.18.1.203†1 001f.ca7b.6029 ARPA Vlan98
Switch#sh arp | i 198.18.1.204
Internet 198.18.1.203†158 000b.fcfe.1b03 ARPA Vlan98
Switch#ping 198.18.1.204

And I keep on looking at the configuration and saying, it looks right, dangit, it looks right.

It took me a while to realise that the policy-map wasn’t quite right:
policy-map type management first-match REMOTE_MGMT_POLICY
class REMOTE_ACCESS_PROTOCOLS
permit

Just to remind you, this is the bit that is wrong again
policy-map type management first-match REMOTE_MGMT_POLICY
It subtle isn’t it.

So, the Sermon

I admit that I find the Cisco Common Policy Classification Language more than a little confusing. When the class-maps and policy-maps were used only for QoS I kind of got used to it. Now that the syntax has been extended into ASA Policy, ACE Load Balancing and IOS routing and QoS etc etc etc I am finding the syntax hard to hold in my head. Some of my co-workers have said the same thing.

On the other hand, I can see how the service-policy syntax fits very nicely into an XML schema for remote programming. Since we are heading more towards graphical tools to configure and manage network devices, this makes a kind of sense since they will use XML to so the configuration ((that’s what the ‘show xml parser’ command is all about)) will tend to look a bit like that.

It’s tough on the human brain though.

About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

You can contact Greg via the site contact page.

  • Glitchen

    What was wrong? I have the same exact issue…

Subscribe For Weekly Updates by Email

Get a Weekly Summary of Latest Articles and Posts to your Email Inbox Every Sunday

Thanks for signing up. Look for the email from MailChimp & make sure you confirm your email address. You may need to check your spam or gmail settings to be sure of receiving the email.

Note: You can unsubscribe at any time using the link at the bottom of every email.