CSS. Only permit certain sourceIP to content rule - redirect everone else ?

Unanswered Question
Jun 27th, 2008
User Badges:

Hi, all servers for an application are to be downed for upgrades. During this time all clients are to be redirected to a "sorry" page, hosted on the web.

I don't have a problem with this.

My problem starts when the service is restored.

The redirect must stay in place for general users but the "application testers" must be allowed access (i.e. not redirected) based soley on their source IP address.

Rule VIP is the same and url is the same.

I'm thinking ACLs but don't know how to apply them (if I could apply them to content rules I would be sorted - but can't)

Does anybody have any Ideas how to work this out ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
grahamlewis Fri, 06/27/2008 - 08:05
User Badges:

Hi, I manage to fathom it out - so incase anybody else has similar difficulties, here's what I did (there maybe a neater way - which I would be interested in).


Configured a redirect service called SORRY (with no keepalives)

Acl 1

Clause 10 Permit any x.x.x.x destination z.z.z.z

Clause 20 Permit any x.x.x.y destination z.z.z.z

*Clause 30 Permit any any destination z.z.z.z prefer SORRY*

Clause 50 permit any any destination any

Apply circuit-(VLAN1)

Acl 2

Clause 10 permit any any destination any

Apply circuit-(VLAN3)

Apply circuit-(VLAN2)


grahamlewis Fri, 06/27/2008 - 14:12
User Badges:

Hi, following my success in the lab I didn't have the same in live.

The only difference being that in live I was terminating SSL.

The part that didn't work was the ACL clause with the PREFER - is there any know reason why this could be ?

CSS is Version: sg0810106 (

with SSL mod

(LAB was the same ver without SSL)


Gilles Dufour Mon, 06/30/2008 - 01:17
User Badges:
  • Cisco Employee,

you'll need to share your complete config.

This is a little bit trickier with the SSL module since the traffic from all clients must go to the SSL module first to be decrypted.

Then you can use ACL to send a redirect for some of them and the traffic needs then to be re-encrypted before being forwarded to the client.

Not sure what is your exact ACL and rules, so I can't tell you what you did worng.


Gilles Dufour Mon, 06/30/2008 - 07:09
User Badges:
  • Cisco Employee,


replace line 30 with :

clause 30 permit any any destination content OWN/PORTALS prefer OOSpage


grahamlewis Mon, 06/30/2008 - 07:17
User Badges:

Thanks Gilles.

It'll be a long time before I get to try it.

Will this catch the traffic after traversing the SSL mod?


Gilles Dufour Mon, 06/30/2008 - 07:57
User Badges:
  • Cisco Employee,

yes. But it will also catch your normal HTTP traffic.

If you don't want to apply the same rule to both, you'll need to decrypt the ssl traffic to a different rule by changing the port number or the vip address.

Then create specific access-lists.


grahamlewis Mon, 06/30/2008 - 08:21
User Badges:

Thanks Gilles.

I hadn't realised it behaved in this way - I was thinking that the acl was acting on data entering the vlan, as an access-list on a router would do with data arriving at an interface.

The idea was, all clients connect with a https://url...

General users would be redirected to the "out of service" page whilst a group of testers via proxies (ip addresses of those listed in the earlier clauses) would still get access to the application.


Gilles Dufour Tue, 07/01/2008 - 01:50
User Badges:
  • Cisco Employee,

Your understanding is actually correct.

The ACL is applied on inbound interface when the traffic comes in.

However, in the case of the SSL module, it is a little bit different.

There is no SSL-VLAN associated with the traffic coming out of the ssl module.

The traffic going in and out of the ssl module will keep the vlan tag they got when entering the CSS and the same ACL associated with that vlan will be applied again to the decrypted traffic.


grahamlewis Tue, 07/01/2008 - 02:34
User Badges:

Well I never!

Thanks again Gilles - you're a star!



This Discussion