Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
4
Replies

limit client to server by nql

mcrichard
Level 1
Level 1

‎10-03-2003 05:40 PM

I want limit client to server and I try use NQL w/ acl.

If I enable acl then any traffic will drop(clause permit before acl enable).Anybody have samples or tell me how to config Tks!

I want vlan3 can access and vlan2 can't

!************************* INTERFACE *************************

interface e11

bridge vlan 2

interface e12

bridge vlan 3

!************************** CIRCUIT **************************

circuit VLAN1

ip address 172.16.100.250 255.255.255.0

circuit VLAN2

ip address 172.16.99.250 255.255.255.0

circuit VLAN3

ip address 172.16.101.250 255.255.255.0

!************************** SERVICE **************************

service w1

ip address 172.16.100.78

port 10000

active

service w2

port 10000

ip address 172.16.100.79

active

!**************************** NQL ****************************

nql web

ip address 172.16.100.0 255.255.255.0

!*************************** OWNER ***************************

owner web

content webl

add service w1

add service w2

protocol tcp

port 80

vip address 172.16.100.80

active

!**************************** ACL ****************************

acl 1

clause 20 permit tcp 172.16.101.0 255.255.255.0 destination nql web eq 80

apply circuit-(VLAN1)

Labels:
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎10-05-2003 12:59 AM

if you enable ACL, by default the CSS will drop all traffic unless you permit it explicitly.

Even on circuit interface where there is no ACL.

So you need to create an ACL like this :

acl 2

clause 99 permit any any destination any

apply circuit-(VLAN2)

apply-circuit-(VLAN3)

Let us know the result like this.

Gilles

0 Helpful

mcrichard
Level 1
Level 1
In response to Gilles Dufour

‎10-05-2003 08:17 PM

Hi

Thanks your reply and I have modify our config but the nql still didn't work. When I show acl then can find hit but the nql didn't work .I add below

!**************************** ACL ****************************

acl 1

clause 1 permit tcp 172.16.101.0 255.255.255.0 destination nql web eq 80

apply circuit-(VLAN1)

acl 2

clause 2 permit any any destination any

apply circuit-(VLAN2)

acl 3

clause 3 permit any any destination any

apply circuit-(VLAN3)

0 Helpful

mcrichard
Level 1
Level 1
In response to mcrichard

‎10-06-2003 12:52 AM

if modify acl 1 to

acl 1

clause 1 permit tcp 172.16.101.0 255.255.255.0 destination nql web eq 80

clause 1 permit any any destination nql web eq 80

apply circuit-(VLAN1)

then we can found the hit counters on acl 1 and it can access server

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to mcrichard

‎10-06-2003 04:12 AM

your ACL says permit traffic from 172.16.101.0/24 to nql web and deny the rest.

Since the network 172.16.101.0/24 is on the interface vlan 3, I would expect acl 1 to be applied to vlan 3 and not vlan1.

If this is not what you want, please tell us what is working and not-working (is all traffic going through or no traffic at all ?)

Thanks,

Gilles.

0 Helpful
Customers Also Viewed These Support Documents