Solved

Filtering traffic between a client and server Cisco CATOS and IOS

Posted on 2010-09-08
9
561 Views
Last Modified: 2012-05-10
I have been asked to isolate the traffic between a Client and Server so that only the traffic from the designated client gets back to the server. The vlan has many other hosts besides the client and server.

The server runs a packager program that has a client piece on the client virtual machine. When an installation is performed on the client then all the changes are reported back to the server to be recorded.

The goal is to capture only the changes made to the client while performing an installation so that an msi installation exe can be created. Currently the server is capturing unrelated traffic on the server port and adding this information to the msi. This unrelated information then has to be manually removed.

The server is connected to an access port on a 6500 access layer switch running CATOS and the client is a virtual machine running on a vsphere server. The vshpere server connects via a trunk port to a 6500 access layer switch running IOS. There is a 6500 layer 3 distribution switch between the two access switches. The server recording the installation and the client running the installation are both on different vlans and subnets so need to be routed through the distribution switch.

They are requesting an additional vlan be created but they do not want to change the ip addresses of the server and client. This will not work because we map a complete subnet to each vlan.

Can I create an acl on the CATOS switch that only allows the packets from the client ip or mac to get to the server port? Of course normal traffic to all the other ports on the vlan would still have to continue.

Maybe a seperate dedicated physical network?
0
Comment
Question by:Dragon0x40
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 8

Assisted Solution

by:ludo_friend
ludo_friend earned 500 total points
ID: 33633637
easiest way is to put the client on its own vlan, then you can do layer 3 filtering.



client 1 can talk to server (acl 101 line 1)
client 1 cannot talk to anything else (acl 101 line 2)
everyone on that vlan interface else can talk (acl 101 line 3)

server can talk to client 1 (acl 102 line 1)
server cannot talk to anything else (acl 102 line 2)
everyone on that vlan interface else can talk (acl 102 line 3)


!!!!!!check to make sure those acls aren't already in use!!!!!!


ip access-list 101 permit ip host 1.1.1.1 host 1.1.2.1
ip access-list 101 deny ip host 1.1.1.1 any
ip access-list 101 permit ip any any
!
interface vlan 1
 ip access-group 101 in
!
ip access-list 102 permit ip host 1.1.2.1  host 1.1.1.1
ip access-list 102 deny ip host 1.1.2.1 any
ip access-list 102 permit ip any any
!
interface vlan 2
 ip access-group 102 in
!
0
 

Author Comment

by:Dragon0x40
ID: 33639040
thanks ludo friend,

A seperate vlan might work but we are trying to keep the same ip address scheme.

To work in the current vlan, the filtering would have to be done at the port level on the port leading to the server.

Can mac filtering do that?
0
 
LVL 8

Accepted Solution

by:
ludo_friend earned 500 total points
ID: 33642339
yes, but you need to assign the interface to a bridge-group and do your filtering from there, in the form of input and output access-lists. layer 3 filtering on the vlan is MUCH simpler. I don't do it this way personally, so you'll have to test it yourself.


!from
access-list 700 permit 0000.1122.33AA 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
!to
access-list 701 permit 0000.1122.33AA 0000.0000.0000
access-list 701 deny 0000.0000.0000 ffff.ffff.ffff


 interface ethernet 0
  bridge-group 1
  bridge-group 1 input-access-list 700
  bridge-group 1 output-access-list 701
!


0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:Dragon0x40
ID: 33665830
thanks ludo friend,

Would that still work if the client is a virtual machine on an HP enclosure and the interface that the enclosure is connected to the switch is a trunk?

It would seem that the only traffic allowed thru interface ethernet 0 would be the one mac address? So if I put this config on the trunk to the HP enclosure then other virtual machines and servers would not get their traffic.

Having a physical server on one end and an HP Enclosure with virtual machines on the other make it difficult to isolate the traffic so the virtual machine only talks to the server. And all other traffic to the server and the HP enclosure still needs to be allowed.

0
 
LVL 8

Assisted Solution

by:ludo_friend
ludo_friend earned 500 total points
ID: 33667608
Hi - with that in mind, I'd really go down the VLAN path. I have a few "temp" vlans assigned to my esxi infrastucture for this exact purpose (test & isolate)



0
 

Author Comment

by:Dragon0x40
ID: 33667900
We may have to add a vlan just for isolating the virtual machine.

Checking with the software packager company to see if they have any solutions to isolate or ignore changes made to the vm not made by the software being installed.
0
 

Author Comment

by:Dragon0x40
ID: 33846559
Still waiting for an answer from the software vendor
0
 
LVL 8

Expert Comment

by:ludo_friend
ID: 33846569
Thanks for keeping me posted :)
0
 

Author Comment

by:Dragon0x40
ID: 33900514
We will go to offline captures to isolate.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question