cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
479
Views
5
Helpful
5
Replies

CSS 11503 Bypassing Content Rules

alanwright1
Level 1
Level 1

Hi,

I am trying to decipher how to bypass the content rules being processed to allow the traffic to go direct to the real (origin) server without going via a loadbalanced device. As I know the destination IP's it seems to me that I can use ACL's with the bypass keyword, to bypass the rule engine. If this is true, then I have a couple of questions regarding ACL's in CSS.

1. CSS ACL's seem to support 255 clauses, can they support more entries say 500?

2. If the answer to Q1 is no, then can I apply more than one ACL to a circuit?

BR

Alan

5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

Alan,

it's more simple than that.

If you want to access the real server directly use its ip address instead of the virtual ip.

The CSS is also a router/switch so it will route traffic that does not match a virtual ip.

No need for acl [except maybe to permit the traffic if you had it denied].

Gilles.

Thanks Gilles,

Can CSS support the setup of 500 VIPs?

BR

Alan

Alan,

yes, you can have 500 vips on a CSS.

Gilles.

Hi Gilles,

Thanks again for the feedback.

As I have no IP for the content defined, it'll try to match any IP. So I see two options now, given that I need to filter out approx 500 ip's from the "catch all" content rule.

1. Bypass using ACL and NQL have a single NQL with 500 IP host entries. Linking this to a single clause in the ACL assigned to the incoming interface.

2. Add 500 contents rules with each vip assigned into one content rule.

Would you agree that the better approach would be to use option 1 as it would contain less config?

BR

Alan

Alan,

ok, I see the need for the bypass now.

I think that option 1 is much better.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: