10-03-2003 05:40 PM
I want limit client to server and I try use NQL w/ acl.
If I enable acl then any traffic will drop(clause permit before acl enable).Anybody have samples or tell me how to config Tks!
I want vlan3 can access and vlan2 can't
!************************* INTERFACE *************************
interface e11
bridge vlan 2
interface e12
bridge vlan 3
!************************** CIRCUIT **************************
circuit VLAN1
ip address 172.16.100.250 255.255.255.0
circuit VLAN2
ip address 172.16.99.250 255.255.255.0
circuit VLAN3
ip address 172.16.101.250 255.255.255.0
!************************** SERVICE **************************
service w1
ip address 172.16.100.78
port 10000
active
service w2
port 10000
ip address 172.16.100.79
active
!**************************** NQL ****************************
nql web
ip address 172.16.100.0 255.255.255.0
!*************************** OWNER ***************************
owner web
content webl
add service w1
add service w2
protocol tcp
port 80
vip address 172.16.100.80
active
!**************************** ACL ****************************
acl 1
clause 20 permit tcp 172.16.101.0 255.255.255.0 destination nql web eq 80
apply circuit-(VLAN1)
10-05-2003 12:59 AM
if you enable ACL, by default the CSS will drop all traffic unless you permit it explicitly.
Even on circuit interface where there is no ACL.
So you need to create an ACL like this :
acl 2
clause 99 permit any any destination any
apply circuit-(VLAN2)
apply-circuit-(VLAN3)
Let us know the result like this.
Gilles
10-05-2003 08:17 PM
Hi
Thanks your reply and I have modify our config but the nql still didn't work. When I show acl then can find hit but the nql didn't work .I add below
!**************************** ACL ****************************
acl 1
clause 1 permit tcp 172.16.101.0 255.255.255.0 destination nql web eq 80
apply circuit-(VLAN1)
acl 2
clause 2 permit any any destination any
apply circuit-(VLAN2)
acl 3
clause 3 permit any any destination any
apply circuit-(VLAN3)
10-06-2003 12:52 AM
if modify acl 1 to
acl 1
clause 1 permit tcp 172.16.101.0 255.255.255.0 destination nql web eq 80
clause 1 permit any any destination nql web eq 80
apply circuit-(VLAN1)
then we can found the hit counters on acl 1 and it can access server
10-06-2003 04:12 AM
your ACL says permit traffic from 172.16.101.0/24 to nql web and deny the rest.
Since the network 172.16.101.0/24 is on the interface vlan 3, I would expect acl 1 to be applied to vlan 3 and not vlan1.
If this is not what you want, please tell us what is working and not-working (is all traffic going through or no traffic at all ?)
Thanks,
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide