cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
290
Views
0
Helpful
1
Replies

CSS: How to deny access to VIP except for configured service

netadmrona
Level 1
Level 1

Let's suppose I have 2 web servers load balanced on a CSS with a configured service on port 443. Is there a way to drop all requests that are not for port 443? Or do I need to put the CSS behind a firewall to acheive this?

1 Accepted Solution

Accepted Solutions

dario.didio
Level 4
Level 4

You can use an ACL to accomplish this:

VIP: 10.0.0.1

protocol: 443

client-side VLAN: 10

acl 1

clause 10 permit any any destination 10.0.0.1 eq 443

clause 20 deny any any destination 10.0.0.1

clause 30 permit any any destination any

apply circuit-VLAN10

This will

- allow 443 to the VIP from any source

- deny all the rest to the VIP

- allow any other traffic

- apply the ACL to the circuit VLAN10

don't forget to globally enable ACLs:

acl enable

HTH,

Dario

View solution in original post

1 Reply 1

dario.didio
Level 4
Level 4

You can use an ACL to accomplish this:

VIP: 10.0.0.1

protocol: 443

client-side VLAN: 10

acl 1

clause 10 permit any any destination 10.0.0.1 eq 443

clause 20 deny any any destination 10.0.0.1

clause 30 permit any any destination any

apply circuit-VLAN10

This will

- allow 443 to the VIP from any source

- deny all the rest to the VIP

- allow any other traffic

- apply the ACL to the circuit VLAN10

don't forget to globally enable ACLs:

acl enable

HTH,

Dario

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: