10-10-2004 03:28 PM
I have TAC case opened about this CSS problem. The TAC engineer said everything looks okay but doesn't know why it wouldn't work. I just found out he is going to be away until November. Before I requeue the case, I thought I would try to see anyone here can spot anything wrong with my configuration. The objective is to direct traffic sourced from specific IP addresses or subnets to a service hosting the "you are not welcomed here" site. I am running this on a CSS 11503 with software 07.30.1.06.
Relevant excerpts of the CSS config (sanitized for public viewing) are here ...
service BLOCKED-1
ip address 192.168.24.113
keepalive type none
active
service WWW-1
ip address 192.168.24.112
keepalive type none
active
service WWW-2
ip address 192.168.24.122
keepalive type none
active
nql YOU-R-BLOCKED_NQL
description "Block these IP addresses from normal access."
ip address 2.2.2.2 255.255.255.255 "Bad Joe"
acl 1
clause 5 permit tcp nql YOU-R-BLOCKED_NQL destination 1.1.1.1 eq 80 prefer BLOCKED-1
clause 10 permit tcp any destination 1.1.1.1 eq 80
clause 20 permit tcp any destination 1.1.1.1 eq 443
apply circuit-(VLAN500)
circuit VLAN500
ip address 1.1.1.254 255.255.254.0
owner SITE
content WWW
vip address 1.1.1.1
add service WWW-1
add service WWW-2
Clauses 10 and 20 receive hits and all traffic, including those sourced from 2.2.2.2 are routed to WWW-1 and WWW-2. Clause 5 gets no hit whatsoever!
10-11-2004 05:14 AM
since your nql is quite small, did you try to get rid of it and configure the ip address directly in your acl ?
Is the apply statement correctly appearing after all the acl clauses ?
Regards,
Gilles.
10-12-2004 12:27 AM
The NQL is only small for testing. It will be much bigger for production use.
Anyways, I did test with just the IP address directly in the ACL as you suggested, with the same result. No hit at all on the ACL clause.
10-12-2004 12:47 AM
Just tested with "deny" instead of "permit" and it blocked the traffic sourced from IP addresses listed in the nql. But the "prefer" option doesn't work.
10-12-2004 03:14 AM
change your destination.
Do not specify the ip address but content rule name.
Type content
Regards,
Gilles.
10-13-2004 12:16 AM
Thanks! That did the trick! So the relevant acl entry now looks like ...
clause 5 permit tcp nql YOU-R-BLOCKED_NQL destination content SITE/WWW prefer BLOCKED-1
10-13-2004 09:43 AM
Any reason why "destination content" works and "destination
Also, is there a way to redirect rewrite the URL instead of redirecting to the "preferred" service?
10-14-2004 03:46 AM
it's because the acl is checked 2 times.
First time in hardware for basic security.
Allow/permit based on source destination.
That's why if you do block, it will block the traffic correctly.
Using a prefered service is done is software, when the content has been matched.
If you don't specify content, but ip address, the CSS could be confused [many rules with same ip but different port or url].
Anyway, this is expected to work like this.
You could configure the prefered service to be a redirect service.
This would send an http redirect to the client.
Check redirect service config on our website.
Regards,
Gilles.
10-15-2004 10:56 PM
Will it reduce the throughput of the switch significantly to have the software switched ACL clause present?
10-16-2004 12:19 AM
I don't know if we can say significantly.
You would have to receive a lot of unnecessary traffic to see a difference.
But we can say it is a good practice to have acl to filter traffic and only allow what you really need.
Regards,
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide