Académique Documents
Professionnel Documents
Culture Documents
Task
Set up an ACL on N1Kv that prohibits standard web traffic from reaching Win2k8-www-3.
Permit all other traffic to that server.
Configuration
First, let's be sure of our Veth interface number.
FEEDBACK
Name
Status
Vlan
Duplex Speed
Type
------------------------------------------------------------------------------mgmt0
--
up
routed
full
1000
--
Eth3/1
--
up
trunk
full
1000
--
Eth3/2
--
up
trunk
full
1000
--
Eth3/3
--
up
trunk
full
unknown --
Eth3/4
--
up
trunk
full
unknown --
Eth3/5
--
up
trunk
full
unknown --
Eth4/1
--
up
trunk
full
1000
--
Eth4/2
--
up
trunk
full
1000
--
Eth4/3
--
up
trunk
full
unknown --
Eth4/4
--
up
trunk
full
unknown --
Eth4/5
--
up
trunk
full
unknown --
Po1
--
up
trunk
full
1000
--
Po2
--
up
trunk
full
1000
--
Po3
--
up
trunk
full
unknown --
Po4
--
up
trunk
full
unknown --
Veth1
VMware VMkernel, v up
115
auto
auto
--
Veth2
VMware VMkernel, v up
116
auto
auto
--
Veth3
N1Kv-01-VSM-2, Net up
120
auto
auto
--
Veth4
N1Kv-01-VSM-2, Net up
121
auto
auto
--
Veth5
N1Kv-01-VSM-2, Net up
120
auto
auto
--
Veth6
Win2k8-www-1, Netw up
110
auto
auto
--
Veth7
VMware VMkernel, v up
115
auto
auto
--
Veth8
VMware VMkernel, v up
116
auto
auto
--
Veth9
N1Kv-01-VSM-1, Net up
120
auto
auto
--
Veth10
N1Kv-01-VSM-1, Net up
121
auto
auto
--
Veth11
N1Kv-01-VSM-1, Net up
120
auto
auto
--
Veth12
Win2k8-www-2, Netw up
110
auto
auto
--
Veth13
Win2k8-www-3, Netw up
Veth14
vCenter, Network A up
auto
auto
--
control0
--
routed
full
1000
--
up
110
auto
auto
N1Kv-01(config)#
Next, browse to Win2k8-www-3 to make sure it's still alive. Let's also ping it infinitely.
--
Now apply an access list, blocking port 80 traffic from ever reaching it, therefore preventing us
from getting a reply when we browse to it.
ip access-list NoHTTP
10 deny tcp any any eq www
20 permit ip any any
interface Vethernet13
ip port access-group NoHTTP out
Verification
Check our ping and try to refresh the browser window.
Note:
Even if we vMotion this guest to another host, the ACL will still be in effect.
Guests don't change vethernet port numbers simply because of vMotion, and they
retain all of their settings. One thing to be cautious of, however, is that if you edit
the settings of the guest and change the network adapter to a different port
profile/group and click Apply, and then even go back into the settings and move
the adapter back to the original port profile/group, the ACL will not remain. This is
true for any settings applied to the vethernet interface, such as QoS, Netflow,
DHCP trust, and so on.
^ back to top
2013 INE