Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS: How to deny access to VIP except for configured service

Let's suppose I have 2 web servers load balanced on a CSS with a configured service on port 443. Is there a way to drop all requests that are not for port 443? Or do I need to put the CSS behind a firewall to acheive this?

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: CSS: How to deny access to VIP except for configured service

You can use an ACL to accomplish this:

VIP: 10.0.0.1

protocol: 443

client-side VLAN: 10

acl 1

clause 10 permit any any destination 10.0.0.1 eq 443

clause 20 deny any any destination 10.0.0.1

clause 30 permit any any destination any

apply circuit-VLAN10

This will

- allow 443 to the VIP from any source

- deny all the rest to the VIP

- allow any other traffic

- apply the ACL to the circuit VLAN10

don't forget to globally enable ACLs:

acl enable

HTH,

Dario

1 REPLY
Silver

Re: CSS: How to deny access to VIP except for configured service

You can use an ACL to accomplish this:

VIP: 10.0.0.1

protocol: 443

client-side VLAN: 10

acl 1

clause 10 permit any any destination 10.0.0.1 eq 443

clause 20 deny any any destination 10.0.0.1

clause 30 permit any any destination any

apply circuit-VLAN10

This will

- allow 443 to the VIP from any source

- deny all the rest to the VIP

- allow any other traffic

- apply the ACL to the circuit VLAN10

don't forget to globally enable ACLs:

acl enable

HTH,

Dario

115
Views
0
Helpful
1
Replies