https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346034#M5758 <HTML><HEAD></HEAD><BODY><P>The NQL is only small for testing. It will be much bigger for production use.</P><P></P><P>Anyways, I did test with just the IP address directly in the ACL as you suggested, with the same result. No hit at all on the ACL clause.</P></BODY></HTML> Tue, 12 Oct 2004 07:27:44 GMT jchin 2004-10-12T07:27:44Z https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346032#M5756 <P>I have TAC case opened about this CSS problem. The TAC engineer said everything looks okay but doesn't know why it wouldn't work. I just found out he is going to be away until November. Before I requeue the case, I thought I would try to see anyone here can spot anything wrong with my configuration. The objective is to direct traffic sourced from specific IP addresses or subnets to a service hosting the "you are not welcomed here" site. I am running this on a CSS 11503 with software 07.30.1.06.</P><P></P><P>Relevant excerpts of the CSS config (sanitized for public viewing) are here ...</P><P></P><P>service BLOCKED-1</P><P> ip address 192.168.24.113</P><P> keepalive type none</P><P> active</P><P>service WWW-1 </P><P> ip address 192.168.24.112 </P><P> keepalive type none </P><P> active</P><P>service WWW-2</P><P> ip address 192.168.24.122 </P><P> keepalive type none </P><P> active </P><P>nql YOU-R-BLOCKED_NQL</P><P> description "Block these IP addresses from normal access."</P><P> ip address 2.2.2.2 255.255.255.255 "Bad Joe"</P><P>acl 1</P><P> clause 5 permit tcp nql YOU-R-BLOCKED_NQL destination 1.1.1.1 eq 80 prefer BLOCKED-1</P><P> clause 10 permit tcp any destination 1.1.1.1 eq 80</P><P> clause 20 permit tcp any destination 1.1.1.1 eq 443</P><P> apply circuit-(VLAN500)</P><P>circuit VLAN500</P><P> ip address 1.1.1.254 255.255.254.0 </P><P>owner SITE</P><P> content WWW </P><P> vip address 1.1.1.1 </P><P> add service WWW-1</P><P> add service WWW-2</P><P></P><P>Clauses 10 and 20 receive hits and all traffic, including those sourced from 2.2.2.2 are routed to WWW-1 and WWW-2. Clause 5 gets no hit whatsoever!</P><P></P> Sun, 10 Oct 2004 22:28:29 GMT https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346032#M5756 jchin 2004-10-10T22:28:29Z https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346033#M5757 <HTML><HEAD></HEAD><BODY><P>since your nql is quite small, did you try to get rid of it and configure the ip address directly in your acl ?</P><P></P><P>Is the apply statement correctly appearing after all the acl clauses ?</P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Mon, 11 Oct 2004 12:14:07 GMT https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346033#M5757 Gilles Dufour 2004-10-11T12:14:07Z https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346034#M5758 <HTML><HEAD></HEAD><BODY><P>The NQL is only small for testing. It will be much bigger for production use.</P><P></P><P>Anyways, I did test with just the IP address directly in the ACL as you suggested, with the same result. No hit at all on the ACL clause.</P></BODY></HTML> Tue, 12 Oct 2004 07:27:44 GMT https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346034#M5758 jchin 2004-10-12T07:27:44Z https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346035#M5759 <HTML><HEAD></HEAD><BODY><P>Just tested with "deny" instead of "permit" and it blocked the traffic sourced from IP addresses listed in the nql. But the "prefer" option doesn't work.</P></BODY></HTML> Tue, 12 Oct 2004 07:47:52 GMT https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346035#M5759 jchin 2004-10-12T07:47:52Z https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346036#M5760 <HTML><HEAD></HEAD><BODY><P>change your destination.</P><P>Do not specify the ip address but content rule name.</P><P>Type content <OWNER> instead of an ip address.</OWNER></P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Tue, 12 Oct 2004 10:14:44 GMT https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346036#M5760 Gilles Dufour 2004-10-12T10:14:44Z https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346037#M5761 <HTML><HEAD></HEAD><BODY><P>Thanks! That did the trick! So the relevant acl entry now looks like ...</P><P> clause 5 permit tcp nql YOU-R-BLOCKED_NQL destination content SITE/WWW prefer BLOCKED-1</P><P></P></BODY></HTML> Wed, 13 Oct 2004 07:16:55 GMT https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346037#M5761 jchin 2004-10-13T07:16:55Z https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346038#M5762 <HTML><HEAD></HEAD><BODY><P>Any reason why "destination content" works and "destination <IP address="" of="" vip="">" didn't?</IP></P><P></P><P>Also, is there a way to redirect rewrite the URL instead of redirecting to the "preferred" service?</P></BODY></HTML> Wed, 13 Oct 2004 16:43:11 GMT https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346038#M5762 nchinetti 2004-10-13T16:43:11Z https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346039#M5763 <HTML><HEAD></HEAD><BODY><P>it's because the acl is checked 2 times.</P><P>First time in hardware for basic security.</P><P>Allow/permit based on source destination.</P><P></P><P>That's why if you do block, it will block the traffic correctly.</P><P></P><P>Using a prefered service is done is software, when the content has been matched.</P><P>If you don't specify content, but ip address, the CSS could be confused [many rules with same ip but different port or url].</P><P></P><P>Anyway, this is expected to work like this.</P><P></P><P>You could configure the prefered service to be a redirect service.</P><P>This would send an http redirect to the client.</P><P>Check redirect service config on our website.</P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Thu, 14 Oct 2004 10:46:17 GMT https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346039#M5763 Gilles Dufour 2004-10-14T10:46:17Z https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346040#M5764 <HTML><HEAD></HEAD><BODY><P>Will it reduce the throughput of the switch significantly to have the software switched ACL clause present?</P></BODY></HTML> Sat, 16 Oct 2004 05:56:06 GMT https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346040#M5764 jchin 2004-10-16T05:56:06Z https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346041#M5765 <HTML><HEAD></HEAD><BODY><P>I don't know if we can say significantly.</P><P>You would have to receive a lot of unnecessary traffic to see a difference.</P><P>But we can say it is a good practice to have acl to filter traffic and only allow what you really need.</P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Sat, 16 Oct 2004 07:19:07 GMT https://community.cisco.com/t5/application-networking/why-doesn-t-this-work/m-p/346041#M5765 Gilles Dufour 2004-10-16T07:19:07Z