Layer-7 Class-maps: 'not' match-any

Answered Question
Aug 24th, 2010
User Badges:

Hallo All,

I'm wondering if the following logic is possible on the ACEs.


First Match is:

class-map type http loadbalance match-any CM7-MatchSrcIP
   10 match source-address 192.168.0.0 255.255.0.0
   20 match source-address 172.16.0.0 255.255.0.0


class-map type http loadbalance match-any CM7-URLs
   10 match http url /testing.*


class-map type http loadbalance match-all CM7-WWW
   10 match class-map CM7-MatchSrcIP
   20 match class-map CM7-URLs


If the above URL and IP sources are matched, I want to send to a specific SF. (easy enough)

If the URL matches /testing.* but source IP address doesn't match of any of the above subnets, I want to redirect to a 'restricted' page. (ummm)

If the URL is something else (e.g. /temporary.*) with any IP source address, I want it to be load-balanced by a different SF (say like in a class-default)


Thx in adv

David

Correct Answer by Pablo about 6 years 7 months ago

Hi David,


Sure you can try this on the ACE, you already created most of the configuration so now just need to apply the maps under the first-match policy.


According to your description this is how this policy should look like:


policy-map type loadbalance first-match SLB_LOGIC
  class CM7-WWW
    serverfarm Testing
  class CM7-URLs
    serverfarm Restricted
  class class-default
    serverfarm Any


- ACE checks for testing plus IP address matching.

- If user belongs to any other subnet then SF restricted is used.

- If none of the above statements is matched then defaul class map and SF is used.


Cheers!

__ __

Pablo


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Pablo Tue, 08/24/2010 - 10:38
User Badges:
  • Cisco Employee,

Hi David,


Sure you can try this on the ACE, you already created most of the configuration so now just need to apply the maps under the first-match policy.


According to your description this is how this policy should look like:


policy-map type loadbalance first-match SLB_LOGIC
  class CM7-WWW
    serverfarm Testing
  class CM7-URLs
    serverfarm Restricted
  class class-default
    serverfarm Any


- ACE checks for testing plus IP address matching.

- If user belongs to any other subnet then SF restricted is used.

- If none of the above statements is matched then defaul class map and SF is used.


Cheers!

__ __

Pablo


dlongworth Tue, 08/24/2010 - 16:12
User Badges:

Ah! Matching the URL without the source IP and because of the class-maps respective position it should match all-else.


Thank you for your helpful reply Pablo.

Pablo Tue, 08/24/2010 - 22:32
User Badges:
  • Cisco Employee,

And Bingo was his name-o  =)


Glad to help


__ __

Pablo

Actions

This Discussion