cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
817
Views
5
Helpful
9
Replies

Why doesn't this work?

jchin
Level 1
Level 1

I have TAC case opened about this CSS problem. The TAC engineer said everything looks okay but doesn't know why it wouldn't work. I just found out he is going to be away until November. Before I requeue the case, I thought I would try to see anyone here can spot anything wrong with my configuration. The objective is to direct traffic sourced from specific IP addresses or subnets to a service hosting the "you are not welcomed here" site. I am running this on a CSS 11503 with software 07.30.1.06.

Relevant excerpts of the CSS config (sanitized for public viewing) are here ...

service BLOCKED-1

ip address 192.168.24.113

keepalive type none

active

service WWW-1

ip address 192.168.24.112

keepalive type none

active

service WWW-2

ip address 192.168.24.122

keepalive type none

active

nql YOU-R-BLOCKED_NQL

description "Block these IP addresses from normal access."

ip address 2.2.2.2 255.255.255.255 "Bad Joe"

acl 1

clause 5 permit tcp nql YOU-R-BLOCKED_NQL destination 1.1.1.1 eq 80 prefer BLOCKED-1

clause 10 permit tcp any destination 1.1.1.1 eq 80

clause 20 permit tcp any destination 1.1.1.1 eq 443

apply circuit-(VLAN500)

circuit VLAN500

ip address 1.1.1.254 255.255.254.0

owner SITE

content WWW

vip address 1.1.1.1

add service WWW-1

add service WWW-2

Clauses 10 and 20 receive hits and all traffic, including those sourced from 2.2.2.2 are routed to WWW-1 and WWW-2. Clause 5 gets no hit whatsoever!

9 Replies 9

Gilles Dufour
Cisco Employee
Cisco Employee

since your nql is quite small, did you try to get rid of it and configure the ip address directly in your acl ?

Is the apply statement correctly appearing after all the acl clauses ?

Regards,

Gilles.

The NQL is only small for testing. It will be much bigger for production use.

Anyways, I did test with just the IP address directly in the ACL as you suggested, with the same result. No hit at all on the ACL clause.

Just tested with "deny" instead of "permit" and it blocked the traffic sourced from IP addresses listed in the nql. But the "prefer" option doesn't work.

change your destination.

Do not specify the ip address but content rule name.

Type content instead of an ip address.

Regards,

Gilles.

Thanks! That did the trick! So the relevant acl entry now looks like ...

clause 5 permit tcp nql YOU-R-BLOCKED_NQL destination content SITE/WWW prefer BLOCKED-1

Any reason why "destination content" works and "destination " didn't?

Also, is there a way to redirect rewrite the URL instead of redirecting to the "preferred" service?

it's because the acl is checked 2 times.

First time in hardware for basic security.

Allow/permit based on source destination.

That's why if you do block, it will block the traffic correctly.

Using a prefered service is done is software, when the content has been matched.

If you don't specify content, but ip address, the CSS could be confused [many rules with same ip but different port or url].

Anyway, this is expected to work like this.

You could configure the prefered service to be a redirect service.

This would send an http redirect to the client.

Check redirect service config on our website.

Regards,

Gilles.

Will it reduce the throughput of the switch significantly to have the software switched ACL clause present?

I don't know if we can say significantly.

You would have to receive a lot of unnecessary traffic to see a difference.

But we can say it is a good practice to have acl to filter traffic and only allow what you really need.

Regards,

Gilles.

Review Cisco Networking for a $25 gift card