Solved

Filtering traffic between a client and server Cisco CATOS and IOS

Posted on 2010-09-08
9
554 Views
Last Modified: 2012-05-10
I have been asked to isolate the traffic between a Client and Server so that only the traffic from the designated client gets back to the server. The vlan has many other hosts besides the client and server.

The server runs a packager program that has a client piece on the client virtual machine. When an installation is performed on the client then all the changes are reported back to the server to be recorded.

The goal is to capture only the changes made to the client while performing an installation so that an msi installation exe can be created. Currently the server is capturing unrelated traffic on the server port and adding this information to the msi. This unrelated information then has to be manually removed.

The server is connected to an access port on a 6500 access layer switch running CATOS and the client is a virtual machine running on a vsphere server. The vshpere server connects via a trunk port to a 6500 access layer switch running IOS. There is a 6500 layer 3 distribution switch between the two access switches. The server recording the installation and the client running the installation are both on different vlans and subnets so need to be routed through the distribution switch.

They are requesting an additional vlan be created but they do not want to change the ip addresses of the server and client. This will not work because we map a complete subnet to each vlan.

Can I create an acl on the CATOS switch that only allows the packets from the client ip or mac to get to the server port? Of course normal traffic to all the other ports on the vlan would still have to continue.

Maybe a seperate dedicated physical network?
0
Comment
Question by:Dragon0x40
  • 5
  • 4
9 Comments
 
LVL 8

Assisted Solution

by:ludo_friend
ludo_friend earned 500 total points
ID: 33633637
easiest way is to put the client on its own vlan, then you can do layer 3 filtering.



client 1 can talk to server (acl 101 line 1)
client 1 cannot talk to anything else (acl 101 line 2)
everyone on that vlan interface else can talk (acl 101 line 3)

server can talk to client 1 (acl 102 line 1)
server cannot talk to anything else (acl 102 line 2)
everyone on that vlan interface else can talk (acl 102 line 3)


!!!!!!check to make sure those acls aren't already in use!!!!!!


ip access-list 101 permit ip host 1.1.1.1 host 1.1.2.1
ip access-list 101 deny ip host 1.1.1.1 any
ip access-list 101 permit ip any any
!
interface vlan 1
 ip access-group 101 in
!
ip access-list 102 permit ip host 1.1.2.1  host 1.1.1.1
ip access-list 102 deny ip host 1.1.2.1 any
ip access-list 102 permit ip any any
!
interface vlan 2
 ip access-group 102 in
!
0
 

Author Comment

by:Dragon0x40
ID: 33639040
thanks ludo friend,

A seperate vlan might work but we are trying to keep the same ip address scheme.

To work in the current vlan, the filtering would have to be done at the port level on the port leading to the server.

Can mac filtering do that?
0
 
LVL 8

Accepted Solution

by:
ludo_friend earned 500 total points
ID: 33642339
yes, but you need to assign the interface to a bridge-group and do your filtering from there, in the form of input and output access-lists. layer 3 filtering on the vlan is MUCH simpler. I don't do it this way personally, so you'll have to test it yourself.


!from
access-list 700 permit 0000.1122.33AA 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
!to
access-list 701 permit 0000.1122.33AA 0000.0000.0000
access-list 701 deny 0000.0000.0000 ffff.ffff.ffff


 interface ethernet 0
  bridge-group 1
  bridge-group 1 input-access-list 700
  bridge-group 1 output-access-list 701
!


0
 

Author Comment

by:Dragon0x40
ID: 33665830
thanks ludo friend,

Would that still work if the client is a virtual machine on an HP enclosure and the interface that the enclosure is connected to the switch is a trunk?

It would seem that the only traffic allowed thru interface ethernet 0 would be the one mac address? So if I put this config on the trunk to the HP enclosure then other virtual machines and servers would not get their traffic.

Having a physical server on one end and an HP Enclosure with virtual machines on the other make it difficult to isolate the traffic so the virtual machine only talks to the server. And all other traffic to the server and the HP enclosure still needs to be allowed.

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 8

Assisted Solution

by:ludo_friend
ludo_friend earned 500 total points
ID: 33667608
Hi - with that in mind, I'd really go down the VLAN path. I have a few "temp" vlans assigned to my esxi infrastucture for this exact purpose (test & isolate)



0
 

Author Comment

by:Dragon0x40
ID: 33667900
We may have to add a vlan just for isolating the virtual machine.

Checking with the software packager company to see if they have any solutions to isolate or ignore changes made to the vm not made by the software being installed.
0
 

Author Comment

by:Dragon0x40
ID: 33846559
Still waiting for an answer from the software vendor
0
 
LVL 8

Expert Comment

by:ludo_friend
ID: 33846569
Thanks for keeping me posted :)
0
 

Author Comment

by:Dragon0x40
ID: 33900514
We will go to offline captures to isolate.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now