I am very new to ACE domain and would like to be adviced.
ACE module since version A2(1.x) has stricter error checks for application protocol inspection. Generic class-map matching is no longer accepted.
With this being said, we were wondering in the case of a VIP giving services to other ports (not only ftp with inspection) if there was some recommendations or best practice about the corresponding configuration :
- Only one VIP configured (one 'match virtual address' with an extended port range + inspect ftp)
- Two VIPs : One with ' match virtual-address x.x.x.x tcp eq 21' + 'inspect ftp' / And One with a more generic port range ?
or any other approach ?
Any suggestion would be appreciated.
I'd recommend a per-service based configuration approach.
This way, you can configure service-specific features (e.g parameter maps, application inspections) for each service, even if you have several services configured for the same VIP. I find this gives much greater flexibility.