Specifications
5-9
Cisco Global Site Selector Administration Guide
OL-5480-01
Chapter 5 Configuring Access Lists and Filtering GSS Traffic
Filtering GSS Traffic Using Access Lists
Segmenting GSS Traffic by Ethernet Interface
By default, the GSS devices listen for DNS traffic on both GSS Ethernet
interfaces, 0 and 1. In the case of inter-GSS communications, GSS devices listen
for configuration and status updates on one interface only. Ethernet interface 0 is
the default.
To reconfigure which interface is used for inter-GSS communications on the GSS
network, use the gss-communications command. Refer to the Cisco Global Site
Selector Getting Started Guide for details.
For security reasons you can limit GSS traffic to one Ethernet interface, or
segment traffic by constraining a certain type of traffic on a designated interface.
By using the access-list and access-group commands discussed previously, you
can define access lists that limit traffic on either of the two GSS Ethernet
interfaces.
For example, remote management services such as Telnet, SSH, and FTP listen on
all active interfaces. To force these remote management services to listen on only
the second GSS Ethernet interface, enter the following CLI commands:
gss1.example.com# config
gss1.example.com(config)#
gss1.example.com(config)# access-list alist1 permit tcp any
destination-port ftp
gss1.example.com(config)# access-list alist1 permit tcp any
destination-port ssh
gss1.example.com(config)# access-list alist1 permit tcp any
destination-port telnet
gss1.example.com(config)# access-group alist1 interface eth1
The commands listed above limit the second Ethernet interface (eth1) to the
specified traffic. All other traffic is refused to that interface.
To deny the same traffic on the first Ethernet interface (eth0), enter the following
commands:
gss1.example.com(config)#
gss1.example.com(config)# access-list alist1 deny tcp any
destination-port ftp
gss1.example.com(config)# access-list alist1 deny tcp any
destination-port ssh
gss1.example.com(config)# access-list alist1 deny tcp any
destination-port telnet
gss1.example.com(config)# access-group alist1 eth0