Re: Why doesn't this work?

jchin · ‎10-10-2004

I have TAC case opened about this CSS problem. The TAC engineer said everything looks okay but doesn't know why it wouldn't work. I just found out he is going to be away until November. Before I requeue the case, I thought I would try to see anyone here can spot anything wrong with my configuration. The objective is to direct traffic sourced from specific IP addresses or subnets to a service hosting the "you are not welcomed here" site. I am running this on a CSS 11503 with software 07.30.1.06.

Relevant excerpts of the CSS config (sanitized for public viewing) are here ...

service BLOCKED-1

ip address 192.168.24.113

keepalive type none

active

service WWW-1

ip address 192.168.24.112

keepalive type none

active

service WWW-2

ip address 192.168.24.122

keepalive type none

active

nql YOU-R-BLOCKED_NQL

description "Block these IP addresses from normal access."

ip address 2.2.2.2 255.255.255.255 "Bad Joe"

acl 1

clause 5 permit tcp nql YOU-R-BLOCKED_NQL destination 1.1.1.1 eq 80 prefer BLOCKED-1

clause 10 permit tcp any destination 1.1.1.1 eq 80

clause 20 permit tcp any destination 1.1.1.1 eq 443

apply circuit-(VLAN500)

circuit VLAN500

ip address 1.1.1.254 255.255.254.0

owner SITE

content WWW

vip address 1.1.1.1

add service WWW-1

add service WWW-2

Clauses 10 and 20 receive hits and all traffic, including those sourced from 2.2.2.2 are routed to WWW-1 and WWW-2. Clause 5 gets no hit whatsoever!

Gilles Dufour · ‎10-11-2004

since your nql is quite small, did you try to get rid of it and configure the ip address directly in your acl ?

Is the apply statement correctly appearing after all the acl clauses ?

Regards,

Gilles.

jchin · ‎10-12-2004

The NQL is only small for testing. It will be much bigger for production use.

Anyways, I did test with just the IP address directly in the ACL as you suggested, with the same result. No hit at all on the ACL clause.

jchin · ‎10-12-2004

Just tested with "deny" instead of "permit" and it blocked the traffic sourced from IP addresses listed in the nql. But the "prefer" option doesn't work.

Gilles Dufour · ‎10-12-2004

change your destination.

Do not specify the ip address but content rule name.

Type content instead of an ip address.

Regards,

Gilles.

jchin · ‎10-13-2004

Thanks! That did the trick! So the relevant acl entry now looks like ...

clause 5 permit tcp nql YOU-R-BLOCKED_NQL destination content SITE/WWW prefer BLOCKED-1

nchinetti · ‎10-13-2004

Any reason why "destination content" works and "destination " didn't?

Also, is there a way to redirect rewrite the URL instead of redirecting to the "preferred" service?

Gilles Dufour · ‎10-14-2004

it's because the acl is checked 2 times.

First time in hardware for basic security.

Allow/permit based on source destination.

That's why if you do block, it will block the traffic correctly.

Using a prefered service is done is software, when the content has been matched.

If you don't specify content, but ip address, the CSS could be confused [many rules with same ip but different port or url].

Anyway, this is expected to work like this.

You could configure the prefered service to be a redirect service.

This would send an http redirect to the client.

Check redirect service config on our website.

Regards,

Gilles.

jchin · ‎10-15-2004

Will it reduce the throughput of the switch significantly to have the software switched ACL clause present?

Gilles Dufour · ‎10-16-2004

I don't know if we can say significantly.

You would have to receive a lot of unnecessary traffic to see a difference.

But we can say it is a good practice to have acl to filter traffic and only allow what you really need.

Regards,

Gilles.