10-11-2010 06:58 AM
Hi,
The ace config contains more than 20 service-policy and many VIP addresses. The ace works in L3 mode.
We have to restrict one of VIP traffic to 6 node only from public side.
How can i restrict the traffic with ACL in the L3 class map.
different policies use the servers on server side VLAN thus we would not like to use general traffic ACL under server VLAN configuration.
Unfortunetly, only one entry are permitted in Class L3 map !
However, this one entry is the virtual-address row.
What is the smart solution in this case. ( VIP & ACL together )
Regards,
Solved! Go to Solution.
10-11-2010 10:06 AM
Why don't you use clasicall access cotrol ACLs on ACE? You could do something like this:
access-list ACL extended permit ip host A host VIP
....
access-list ACL extended deny ip any host VIP
....
access-list ACL extended permit ip any any
interface vlan external_vlan_id
access-group input ACL
10-11-2010 10:22 AM
Hi,
I think the easier way that you can do this is using a HTTP class-map (regardless of the load balanced protocol, weird eh?)
Instead of an ACL you would use the match source-address command to specify the source allowed to make it to the servers.
Here is how it looks like:
class-map type http loadbalance match-any Hosts
10 match source-address 192.168.10.20 255.255.255.255
11 match source-address 192.168.10.21 255.255.255.255
12 match source-address 192.168.10.22 255.255.255.255
class-map match-any Internet
2 match virtual-address 192.168.20.15 tcp eq www
policy-map type loadbalance first-match Internet-FMP
class Hosts
serverfarm Backend
policy-map multi-match CLIENT-VIPS
class Internet
loadbalance vip inservice
loadbalance policy Internet-FMP
loadbalance vip icmp-reply active
Hope this helps!
__ __
Pablo
10-11-2010 04:47 PM
Your config is less favorable performance vise. Like this the ACE has to do L7 load-balancing, which means the connection will be proxied at first and then un-proxied. This introduces a small delay and makes things more complex - therefore more costly for ACE resources.
10-11-2010 10:06 AM
Why don't you use clasicall access cotrol ACLs on ACE? You could do something like this:
access-list ACL extended permit ip host A host VIP
....
access-list ACL extended deny ip any host VIP
....
access-list ACL extended permit ip any any
interface vlan external_vlan_id
access-group input ACL
10-11-2010 10:22 AM
Hi,
I think the easier way that you can do this is using a HTTP class-map (regardless of the load balanced protocol, weird eh?)
Instead of an ACL you would use the match source-address command to specify the source allowed to make it to the servers.
Here is how it looks like:
class-map type http loadbalance match-any Hosts
10 match source-address 192.168.10.20 255.255.255.255
11 match source-address 192.168.10.21 255.255.255.255
12 match source-address 192.168.10.22 255.255.255.255
class-map match-any Internet
2 match virtual-address 192.168.20.15 tcp eq www
policy-map type loadbalance first-match Internet-FMP
class Hosts
serverfarm Backend
policy-map multi-match CLIENT-VIPS
class Internet
loadbalance vip inservice
loadbalance policy Internet-FMP
loadbalance vip icmp-reply active
Hope this helps!
__ __
Pablo
10-11-2010 04:47 PM
Your config is less favorable performance vise. Like this the ACE has to do L7 load-balancing, which means the connection will be proxied at first and then un-proxied. This introduces a small delay and makes things more complex - therefore more costly for ACE resources.
10-11-2010 06:08 PM
Hi Ivan,
Agree with you about the L7 inspection but in this case we're just doing L3 inspection so full TCP stack processing is not required, the connection is unproxied where the only state information kept is that which the fastpath MP needs in order to rewrite packets as they transit through the ACE.
Also agree with you about the resource usage but delay should not be noticeable unless your ACE is taking up to 250K conns all of them L7 with header/regex inspection.
When it comes to complexity you need to consider t-shooting and network scalability, what would happen if the VIP needs to be changed or dst ports need to be added?
Both configurations should do the trick is just a matter of what CLI handling you prefer.
Regards!
__ __
Pablo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: