CSS: How to deny access to VIP except for configured service

Answered Question
Jul 15th, 2009

Let's suppose I have 2 web servers load balanced on a CSS with a configured service on port 443. Is there a way to drop all requests that are not for port 443? Or do I need to put the CSS behind a firewall to acheive this?

I have this problem too.
0 votes
Correct Answer by dario.didio about 7 years 4 months ago

You can use an ACL to accomplish this:

VIP: 10.0.0.1

protocol: 443

client-side VLAN: 10

acl 1

clause 10 permit any any destination 10.0.0.1 eq 443

clause 20 deny any any destination 10.0.0.1

clause 30 permit any any destination any

apply circuit-VLAN10

This will

- allow 443 to the VIP from any source

- deny all the rest to the VIP

- allow any other traffic

- apply the ACL to the circuit VLAN10

don't forget to globally enable ACLs:

acl enable

HTH,

Dario

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
dario.didio Wed, 07/15/2009 - 03:26

You can use an ACL to accomplish this:

VIP: 10.0.0.1

protocol: 443

client-side VLAN: 10

acl 1

clause 10 permit any any destination 10.0.0.1 eq 443

clause 20 deny any any destination 10.0.0.1

clause 30 permit any any destination any

apply circuit-VLAN10

This will

- allow 443 to the VIP from any source

- deny all the rest to the VIP

- allow any other traffic

- apply the ACL to the circuit VLAN10

don't forget to globally enable ACLs:

acl enable

HTH,

Dario

Actions

This Discussion