Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure an ACL for Inter-GSS communication?

Introduction

This document provides a sample ACL (access control list) configuration, for GSS appliance, to allow inter-GSS communication within a cluster.

The packet filtering tools on the GSS instruct each device to permit or refuse specific packets based on a combination of criteria.Access lists are collections of filtering rules that you create using the access-list CLI command. The GSS examines each packet to determine whether to forward or drop the packet based on the criteria specified within the access lists. When the GSS decides whether to forward or block a packet, it tests the packet against each criteria statement in the order that the statements were created. After a match is found, the GSS does not check any additional criteria statements.

Core Issue

As per documentation at following URL,

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v3.1.1/administration/guide/ACLs.html#wp1004764

GSS appliances in a cluster use following TCP ports for Inter-GSS communication:

200, 2001-2005 and 3002-3008.

Each GSS appliance in a cluster can be configured with an ACL that would allow only these appliances to communicate with each other by blocking rest of the traffic on an inside ethernet interface of an appliance.

Resolution

Consider an example where there are two GSS appliances in a cluster.  Both appliances communicate with each other over ethernet interface  eth0.

Primary GSSM eth0 interface is configured with IP address 10.10.10.1.

Standby GSSM eth0 interface is configured with IP address 10.10.10.2.

Given  that, you can configure following access control lists (ACLs) to allow  Inter-GSS communication over ethernet interface eth0.

Note: Additional entries can be added to these ACLs to accommodate some other type of  traffic such as telnet or SSH access to GSS.

Primary GSSM (IP address for interface eth0 10.10.10.1) :

Step 1: Configure the ACL.

    access-list InterGSS permit tcp host 10.10.10.2 range 2001 2005
    access-list InterGSS permit tcp host 10.10.10.2 destination-port range 2001 2005
    access-list InterGSS permit tcp host 10.10.10.2 range 3002 3008
    access-list InterGSS permit tcp host 10.10.10.2 destination-port range 3002 3008
    access-list InterGSS permit udp host 10.10.10.2 eq 2000
    access-list InterGSS permit udp host 10.10.10.2 destination-port eq 2000

Step 2: Apply ACL to ethernet interface eth0 on the GSS appliance.

    access-group InterGSS interface eth0
   
Standby GSSM (IP address for interface eth0 10.10.10.2):

Step 1: Configure the ACL.

    access-list InterGSS permit tcp host 10.10.10.1 range 2001 2005
    access-list InterGSS permit tcp host 10.10.10.1 destination-port range 2001 2005
    access-list InterGSS permit tcp host 10.10.10.1 range 3002 3008
    access-list InterGSS permit tcp host 10.10.10.1 destination-port range 3002 3008
    access-list InterGSS permit udp host 10.10.10.1 eq 2000
    access-list InterGSS permit udp host 10.10.10.1 destination-port eq 2000

Step 2: Apply ACL to ethernet interface eth0 on the GSS appliance.

    access-group InterGSS interface eth0

More information on GSS access-lists can be found at:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v3.1.1/administration/guide/ACLs.html#wp999590

Deploying GSS and ACE in least loaded GSLB based on VIP conn number

Catch-all VIP with forward or transparent serverfarm options

Version history
Revision #:
1 of 1
Last update:
‎08-06-2010 01:07 PM
Updated by:
 
Labels (1)
Comments

Shubha, nice documnet or feature