Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
301
Views
0
Helpful
1
Replies

CSS: How to deny access to VIP except for configured service

Go to solution
netadmrona
Level 1
Level 1

‎07-15-2009 03:15 AM

Let's suppose I have 2 web servers load balanced on a CSS with a configured service on port 443. Is there a way to drop all requests that are not for port 443? Or do I need to put the CSS behind a firewall to acheive this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dario.didio
Level 4
Level 4

‎07-15-2009 03:26 AM

You can use an ACL to accomplish this:

VIP: 10.0.0.1

protocol: 443

client-side VLAN: 10

acl 1

clause 10 permit any any destination 10.0.0.1 eq 443

clause 20 deny any any destination 10.0.0.1

clause 30 permit any any destination any

apply circuit-VLAN10

This will

- allow 443 to the VIP from any source

- deny all the rest to the VIP

- allow any other traffic

- apply the ACL to the circuit VLAN10

don't forget to globally enable ACLs:

acl enable

HTH,

Dario

View solution in original post

0 Helpful
1 Reply 1

Go to solution
dario.didio
Level 4
Level 4

‎07-15-2009 03:26 AM

You can use an ACL to accomplish this:

VIP: 10.0.0.1

protocol: 443

client-side VLAN: 10

acl 1

clause 10 permit any any destination 10.0.0.1 eq 443

clause 20 deny any any destination 10.0.0.1

clause 30 permit any any destination any

apply circuit-VLAN10

This will

- allow 443 to the VIP from any source

- deny all the rest to the VIP

- allow any other traffic

- apply the ACL to the circuit VLAN10

don't forget to globally enable ACLs:

acl enable

HTH,

Dario

0 Helpful
Customers Also Viewed These Support Documents