Solved

Filtering traffic between a client and server Cisco CATOS and IOS

Posted on 2010-09-08
9
559 Views
Last Modified: 2012-05-10
I have been asked to isolate the traffic between a Client and Server so that only the traffic from the designated client gets back to the server. The vlan has many other hosts besides the client and server.

The server runs a packager program that has a client piece on the client virtual machine. When an installation is performed on the client then all the changes are reported back to the server to be recorded.

The goal is to capture only the changes made to the client while performing an installation so that an msi installation exe can be created. Currently the server is capturing unrelated traffic on the server port and adding this information to the msi. This unrelated information then has to be manually removed.

The server is connected to an access port on a 6500 access layer switch running CATOS and the client is a virtual machine running on a vsphere server. The vshpere server connects via a trunk port to a 6500 access layer switch running IOS. There is a 6500 layer 3 distribution switch between the two access switches. The server recording the installation and the client running the installation are both on different vlans and subnets so need to be routed through the distribution switch.

They are requesting an additional vlan be created but they do not want to change the ip addresses of the server and client. This will not work because we map a complete subnet to each vlan.

Can I create an acl on the CATOS switch that only allows the packets from the client ip or mac to get to the server port? Of course normal traffic to all the other ports on the vlan would still have to continue.

Maybe a seperate dedicated physical network?
0
Comment
Question by:Dragon0x40
  • 5
  • 4
9 Comments
 
LVL 8

Assisted Solution

by:ludo_friend
ludo_friend earned 500 total points
ID: 33633637
easiest way is to put the client on its own vlan, then you can do layer 3 filtering.



client 1 can talk to server (acl 101 line 1)
client 1 cannot talk to anything else (acl 101 line 2)
everyone on that vlan interface else can talk (acl 101 line 3)

server can talk to client 1 (acl 102 line 1)
server cannot talk to anything else (acl 102 line 2)
everyone on that vlan interface else can talk (acl 102 line 3)


!!!!!!check to make sure those acls aren't already in use!!!!!!


ip access-list 101 permit ip host 1.1.1.1 host 1.1.2.1
ip access-list 101 deny ip host 1.1.1.1 any
ip access-list 101 permit ip any any
!
interface vlan 1
 ip access-group 101 in
!
ip access-list 102 permit ip host 1.1.2.1  host 1.1.1.1
ip access-list 102 deny ip host 1.1.2.1 any
ip access-list 102 permit ip any any
!
interface vlan 2
 ip access-group 102 in
!
0
 

Author Comment

by:Dragon0x40
ID: 33639040
thanks ludo friend,

A seperate vlan might work but we are trying to keep the same ip address scheme.

To work in the current vlan, the filtering would have to be done at the port level on the port leading to the server.

Can mac filtering do that?
0
 
LVL 8

Accepted Solution

by:
ludo_friend earned 500 total points
ID: 33642339
yes, but you need to assign the interface to a bridge-group and do your filtering from there, in the form of input and output access-lists. layer 3 filtering on the vlan is MUCH simpler. I don't do it this way personally, so you'll have to test it yourself.


!from
access-list 700 permit 0000.1122.33AA 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
!to
access-list 701 permit 0000.1122.33AA 0000.0000.0000
access-list 701 deny 0000.0000.0000 ffff.ffff.ffff


 interface ethernet 0
  bridge-group 1
  bridge-group 1 input-access-list 700
  bridge-group 1 output-access-list 701
!


0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:Dragon0x40
ID: 33665830
thanks ludo friend,

Would that still work if the client is a virtual machine on an HP enclosure and the interface that the enclosure is connected to the switch is a trunk?

It would seem that the only traffic allowed thru interface ethernet 0 would be the one mac address? So if I put this config on the trunk to the HP enclosure then other virtual machines and servers would not get their traffic.

Having a physical server on one end and an HP Enclosure with virtual machines on the other make it difficult to isolate the traffic so the virtual machine only talks to the server. And all other traffic to the server and the HP enclosure still needs to be allowed.

0
 
LVL 8

Assisted Solution

by:ludo_friend
ludo_friend earned 500 total points
ID: 33667608
Hi - with that in mind, I'd really go down the VLAN path. I have a few "temp" vlans assigned to my esxi infrastucture for this exact purpose (test & isolate)



0
 

Author Comment

by:Dragon0x40
ID: 33667900
We may have to add a vlan just for isolating the virtual machine.

Checking with the software packager company to see if they have any solutions to isolate or ignore changes made to the vm not made by the software being installed.
0
 

Author Comment

by:Dragon0x40
ID: 33846559
Still waiting for an answer from the software vendor
0
 
LVL 8

Expert Comment

by:ludo_friend
ID: 33846569
Thanks for keeping me posted :)
0
 

Author Comment

by:Dragon0x40
ID: 33900514
We will go to offline captures to isolate.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question