ACE - Class-maps

Answered Question
Jun 23rd, 2008

I want to load balance traffic to a VIP based on client source address. Here is what I had in mind:

access-list special-25 extended permit tcp host 10.20.138.18 host 10.20.96.19 eq 25

access-list special-25 extended permit tcp host 10.20.138.30 host 10.20.96.19 eq 25

access-list special-25 extended permit tcp host 10.20.138.40 host 10.20.96.19 eq 25

access-list special-25 extended permit tcp host 10.20.254.88 host 10.20.96.19 eq 25

access-list internal-25 extended permit tcp 10.20.0.0 0.0.255.255 host 10.20.96.19 eq 25

access-list internet-25 extended permit tcp any host 10.20.96.19 eq 25

class-map match-any INTERNET-MAIL

2 match access-list internet-25

class-map match-any INTERNAL-MAIL

2 match access-list internal-25

class-map match-any SPECIAL-MAIL

2 match access-list special-25

class-map match-all VIP-MAILGATE-25

description MAILGATE INTERNAL 25

2 match virtual-address 10.20.96.19 tcp eq 25

serverfarm host mailgate-zero

description INTERNET MAIL

failaction purge

rserver mailgate-1

rserver mailgate-2

rserver mailgate-3

rserver mailgate-4

serverfarm host mailgate-one

description INTERNAL MAIL

failaction purge

rserver mailgate-5

rserver mailgate-6

serverfarm host mailgate-two

description I DON'T KNOW MAIL

failaction purge

rserver mailgate-8

policy-map type loadbalance first-match MAILGATE-POLICY

class SPECIAL-MAIL

serverfarm mailgate-two

class INTERNAL-MAIL

serverfarm mailgate-one

class INTERNET-MAIL

serverfarm mailgate-zero

policy-map multi-match CLIENT-VIPS

class VIP-MAILGATE-25

loadbalance vip inservice

loadbalance policy MAILGATE-POLICY

loadbalance vip icmp-reply active

The problem with this design is the policy-map MAILGATE-POLICY won't accept anything but the "class-default".

Any ideas how can I make this work?

Thanks,

Milo

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 8 years 7 months ago

Milo,

you need to create a class-map of type http.

Sounds weird but this is the way to do it.

You can then match using a 'match source-address' command.

You can't specify the destination with an acl, but this traffic would normal hit a vip anyway this will set the destination.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Mon, 06/23/2008 - 08:07

Milo,

you need to create a class-map of type http.

Sounds weird but this is the way to do it.

You can then match using a 'match source-address' command.

You can't specify the destination with an acl, but this traffic would normal hit a vip anyway this will set the destination.

Gilles.

meckel Mon, 06/23/2008 - 10:38

Gilles,

You're right, it does sound weird. However, it appears to work (the commands weren't rejected anyway). Now as soon as I get time on the real servers I test it out. Here's my modified config with your suggestion:

class-map type http loadbalance match-all INTERNAL-MAIL-TEST

10 match source-address 10.20.0.0 0.0.255.255

class-map type http loadbalance match-any SPECIAL-MAIL-TEST

10 match source-address 10.20.138.18 255.255.255.255

15 match source-address 10.20.138.30 255.255.255.255

20 match source-address 10.20.138.40 255.255.255.255

25 match source-address 10.20.254.88 255.255.255.255

class-map match-all VIP-MAILGATE-TEST-25

description MAILGATE-TEST.NAU.EDU SMTP MAIL

2 match virtual-address 10.20.96.36 tcp eq smtp

policy-map type loadbalance first-match MAILGATE-POLICY-TEST

class SPECIAL-MAIL-TEST

serverfarm mailgate-two-test

class INTERNAL-MAIL-TEST

serverfarm mailgate-one-test

class class-default

serverfarm mailgate-zero-test

policy-map multi-match CLIENT-VIPS

class VIP-MAILGATE-TEST-25

loadbalance vip inservice

loadbalance policy MAILGATE-POLICY-TEST

loadbalance vip icmp-reply active

Thank you!

Milo

Actions

This Discussion