Filtering traffic between a client and server Cisco CATOS and IOS

I have been asked to isolate the traffic between a Client and Server so that only the traffic from the designated client gets back to the server. The vlan has many other hosts besides the client and server.

The server runs a packager program that has a client piece on the client virtual machine. When an installation is performed on the client then all the changes are reported back to the server to be recorded.

The goal is to capture only the changes made to the client while performing an installation so that an msi installation exe can be created. Currently the server is capturing unrelated traffic on the server port and adding this information to the msi. This unrelated information then has to be manually removed.

The server is connected to an access port on a 6500 access layer switch running CATOS and the client is a virtual machine running on a vsphere server. The vshpere server connects via a trunk port to a 6500 access layer switch running IOS. There is a 6500 layer 3 distribution switch between the two access switches. The server recording the installation and the client running the installation are both on different vlans and subnets so need to be routed through the distribution switch.

They are requesting an additional vlan be created but they do not want to change the ip addresses of the server and client. This will not work because we map a complete subnet to each vlan.

Can I create an acl on the CATOS switch that only allows the packets from the client ip or mac to get to the server port? Of course normal traffic to all the other ports on the vlan would still have to continue.

Maybe a seperate dedicated physical network?
Dragon0x40Asked:
Who is Participating?
 
ludo_friendCommented:
yes, but you need to assign the interface to a bridge-group and do your filtering from there, in the form of input and output access-lists. layer 3 filtering on the vlan is MUCH simpler. I don't do it this way personally, so you'll have to test it yourself.


!from
access-list 700 permit 0000.1122.33AA 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
!to
access-list 701 permit 0000.1122.33AA 0000.0000.0000
access-list 701 deny 0000.0000.0000 ffff.ffff.ffff


 interface ethernet 0
  bridge-group 1
  bridge-group 1 input-access-list 700
  bridge-group 1 output-access-list 701
!


0
 
ludo_friendCommented:
easiest way is to put the client on its own vlan, then you can do layer 3 filtering.



client 1 can talk to server (acl 101 line 1)
client 1 cannot talk to anything else (acl 101 line 2)
everyone on that vlan interface else can talk (acl 101 line 3)

server can talk to client 1 (acl 102 line 1)
server cannot talk to anything else (acl 102 line 2)
everyone on that vlan interface else can talk (acl 102 line 3)


!!!!!!check to make sure those acls aren't already in use!!!!!!


ip access-list 101 permit ip host 1.1.1.1 host 1.1.2.1
ip access-list 101 deny ip host 1.1.1.1 any
ip access-list 101 permit ip any any
!
interface vlan 1
 ip access-group 101 in
!
ip access-list 102 permit ip host 1.1.2.1  host 1.1.1.1
ip access-list 102 deny ip host 1.1.2.1 any
ip access-list 102 permit ip any any
!
interface vlan 2
 ip access-group 102 in
!
0
 
Dragon0x40Author Commented:
thanks ludo friend,

A seperate vlan might work but we are trying to keep the same ip address scheme.

To work in the current vlan, the filtering would have to be done at the port level on the port leading to the server.

Can mac filtering do that?
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
Dragon0x40Author Commented:
thanks ludo friend,

Would that still work if the client is a virtual machine on an HP enclosure and the interface that the enclosure is connected to the switch is a trunk?

It would seem that the only traffic allowed thru interface ethernet 0 would be the one mac address? So if I put this config on the trunk to the HP enclosure then other virtual machines and servers would not get their traffic.

Having a physical server on one end and an HP Enclosure with virtual machines on the other make it difficult to isolate the traffic so the virtual machine only talks to the server. And all other traffic to the server and the HP enclosure still needs to be allowed.

0
 
ludo_friendCommented:
Hi - with that in mind, I'd really go down the VLAN path. I have a few "temp" vlans assigned to my esxi infrastucture for this exact purpose (test & isolate)



0
 
Dragon0x40Author Commented:
We may have to add a vlan just for isolating the virtual machine.

Checking with the software packager company to see if they have any solutions to isolate or ignore changes made to the vm not made by the software being installed.
0
 
Dragon0x40Author Commented:
Still waiting for an answer from the software vendor
0
 
ludo_friendCommented:
Thanks for keeping me posted :)
0
 
Dragon0x40Author Commented:
We will go to offline captures to isolate.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.