Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Filtering traffic between a client and server Cisco CATOS and IOS

Posted on 2010-09-08
9
558 Views
Last Modified: 2012-05-10
I have been asked to isolate the traffic between a Client and Server so that only the traffic from the designated client gets back to the server. The vlan has many other hosts besides the client and server.

The server runs a packager program that has a client piece on the client virtual machine. When an installation is performed on the client then all the changes are reported back to the server to be recorded.

The goal is to capture only the changes made to the client while performing an installation so that an msi installation exe can be created. Currently the server is capturing unrelated traffic on the server port and adding this information to the msi. This unrelated information then has to be manually removed.

The server is connected to an access port on a 6500 access layer switch running CATOS and the client is a virtual machine running on a vsphere server. The vshpere server connects via a trunk port to a 6500 access layer switch running IOS. There is a 6500 layer 3 distribution switch between the two access switches. The server recording the installation and the client running the installation are both on different vlans and subnets so need to be routed through the distribution switch.

They are requesting an additional vlan be created but they do not want to change the ip addresses of the server and client. This will not work because we map a complete subnet to each vlan.

Can I create an acl on the CATOS switch that only allows the packets from the client ip or mac to get to the server port? Of course normal traffic to all the other ports on the vlan would still have to continue.

Maybe a seperate dedicated physical network?
0
Comment
Question by:Dragon0x40
  • 5
  • 4
9 Comments
 
LVL 8

Assisted Solution

by:ludo_friend
ludo_friend earned 500 total points
ID: 33633637
easiest way is to put the client on its own vlan, then you can do layer 3 filtering.



client 1 can talk to server (acl 101 line 1)
client 1 cannot talk to anything else (acl 101 line 2)
everyone on that vlan interface else can talk (acl 101 line 3)

server can talk to client 1 (acl 102 line 1)
server cannot talk to anything else (acl 102 line 2)
everyone on that vlan interface else can talk (acl 102 line 3)


!!!!!!check to make sure those acls aren't already in use!!!!!!


ip access-list 101 permit ip host 1.1.1.1 host 1.1.2.1
ip access-list 101 deny ip host 1.1.1.1 any
ip access-list 101 permit ip any any
!
interface vlan 1
 ip access-group 101 in
!
ip access-list 102 permit ip host 1.1.2.1  host 1.1.1.1
ip access-list 102 deny ip host 1.1.2.1 any
ip access-list 102 permit ip any any
!
interface vlan 2
 ip access-group 102 in
!
0
 

Author Comment

by:Dragon0x40
ID: 33639040
thanks ludo friend,

A seperate vlan might work but we are trying to keep the same ip address scheme.

To work in the current vlan, the filtering would have to be done at the port level on the port leading to the server.

Can mac filtering do that?
0
 
LVL 8

Accepted Solution

by:
ludo_friend earned 500 total points
ID: 33642339
yes, but you need to assign the interface to a bridge-group and do your filtering from there, in the form of input and output access-lists. layer 3 filtering on the vlan is MUCH simpler. I don't do it this way personally, so you'll have to test it yourself.


!from
access-list 700 permit 0000.1122.33AA 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
!to
access-list 701 permit 0000.1122.33AA 0000.0000.0000
access-list 701 deny 0000.0000.0000 ffff.ffff.ffff


 interface ethernet 0
  bridge-group 1
  bridge-group 1 input-access-list 700
  bridge-group 1 output-access-list 701
!


0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:Dragon0x40
ID: 33665830
thanks ludo friend,

Would that still work if the client is a virtual machine on an HP enclosure and the interface that the enclosure is connected to the switch is a trunk?

It would seem that the only traffic allowed thru interface ethernet 0 would be the one mac address? So if I put this config on the trunk to the HP enclosure then other virtual machines and servers would not get their traffic.

Having a physical server on one end and an HP Enclosure with virtual machines on the other make it difficult to isolate the traffic so the virtual machine only talks to the server. And all other traffic to the server and the HP enclosure still needs to be allowed.

0
 
LVL 8

Assisted Solution

by:ludo_friend
ludo_friend earned 500 total points
ID: 33667608
Hi - with that in mind, I'd really go down the VLAN path. I have a few "temp" vlans assigned to my esxi infrastucture for this exact purpose (test & isolate)



0
 

Author Comment

by:Dragon0x40
ID: 33667900
We may have to add a vlan just for isolating the virtual machine.

Checking with the software packager company to see if they have any solutions to isolate or ignore changes made to the vm not made by the software being installed.
0
 

Author Comment

by:Dragon0x40
ID: 33846559
Still waiting for an answer from the software vendor
0
 
LVL 8

Expert Comment

by:ludo_friend
ID: 33846569
Thanks for keeping me posted :)
0
 

Author Comment

by:Dragon0x40
ID: 33900514
We will go to offline captures to isolate.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question