Layer-7 Class-maps: 'not' match-any

Answered Question
Aug 24th, 2010
User Badges:

Hallo All,

I'm wondering if the following logic is possible on the ACEs.


First Match is:

class-map type http loadbalance match-any CM7-MatchSrcIP
   10 match source-address 192.168.0.0 255.255.0.0
   20 match source-address 172.16.0.0 255.255.0.0


class-map type http loadbalance match-any CM7-URLs
   10 match http url /testing.*


class-map type http loadbalance match-all CM7-WWW
   10 match class-map CM7-MatchSrcIP
   20 match class-map CM7-URLs


If the above URL and IP sources are matched, I want to send to a specific SF. (easy enough)

If the URL matches /testing.* but source IP address doesn't match of any of the above subnets, I want to redirect to a 'restricted' page. (ummm)

If the URL is something else (e.g. /temporary.*) with any IP source address, I want it to be load-balanced by a different SF (say like in a class-default)


Thx in adv

David

Correct Answer by Pablo about 6 years 11 months ago

Hi David,


Sure you can try this on the ACE, you already created most of the configuration so now just need to apply the maps under the first-match policy.


According to your description this is how this policy should look like:


policy-map type loadbalance first-match SLB_LOGIC
  class CM7-WWW
    serverfarm Testing
  class CM7-URLs
    serverfarm Restricted
  class class-default
    serverfarm Any


- ACE checks for testing plus IP address matching.

- If user belongs to any other subnet then SF restricted is used.

- If none of the above statements is matched then defaul class map and SF is used.


Cheers!

__ __

Pablo


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
Pablo Tue, 08/24/2010 - 10:38
User Badges:
  • Cisco Employee,

Hi David,


Sure you can try this on the ACE, you already created most of the configuration so now just need to apply the maps under the first-match policy.


According to your description this is how this policy should look like:


policy-map type loadbalance first-match SLB_LOGIC
  class CM7-WWW
    serverfarm Testing
  class CM7-URLs
    serverfarm Restricted
  class class-default
    serverfarm Any


- ACE checks for testing plus IP address matching.

- If user belongs to any other subnet then SF restricted is used.

- If none of the above statements is matched then defaul class map and SF is used.


Cheers!

__ __

Pablo


dlongworth Tue, 08/24/2010 - 16:12
User Badges:

Ah! Matching the URL without the source IP and because of the class-maps respective position it should match all-else.


Thank you for your helpful reply Pablo.

Pablo Tue, 08/24/2010 - 22:32
User Badges:
  • Cisco Employee,

And Bingo was his name-o  =)


Glad to help


__ __

Pablo

Actions

This Discussion