Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1161
Views
4
Helpful
4
Replies

ACE VIP & ACL

Go to solution
KAROLY KOHEGYI
Level 2
Level 2

‎10-11-2010 06:58 AM

Hi,

The ace config contains more than 20 service-policy and many VIP addresses. The ace works in L3 mode.

We have to restrict one of VIP traffic to 6 node only from public side.

How can i restrict the traffic with ACL in the  L3 class map.

different  policies use the   servers on server side VLAN thus we would not like to use general traffic ACL under server VLAN configuration.

Unfortunetly, only one entry are permitted in Class L3 map !

However, this one entry is  the virtual-address row.

What is the  smart solution in this case. ( VIP & ACL  together )

Regards,

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Ivan Kovacevic
Cisco Employee
Cisco Employee

‎10-11-2010 10:06 AM

Why don't you use clasicall access cotrol ACLs on ACE? You could do something like this:

access-list ACL extended permit ip host A host VIP

....

access-list ACL extended deny ip any host VIP

....

access-list ACL extended permit ip any any

interface vlan external_vlan_id

  access-group input ACL

View solution in original post

0 Helpful

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎10-11-2010 10:22 AM

Hi,

I think the easier way that you can do this is using a HTTP class-map (regardless of the load balanced protocol, weird eh?)

Instead of an ACL you would use the match source-address command to specify the source allowed to make it to the servers.

Here is how it looks like:

class-map type http loadbalance match-any Hosts

  10 match source-address 192.168.10.20 255.255.255.255

  11 match source-address 192.168.10.21 255.255.255.255

  12 match source-address 192.168.10.22 255.255.255.255

class-map match-any Internet

  2 match virtual-address 192.168.20.15 tcp eq www

policy-map type loadbalance first-match Internet-FMP

  class Hosts

    serverfarm Backend

policy-map multi-match CLIENT-VIPS

  class Internet

    loadbalance vip inservice

    loadbalance policy Internet-FMP

    loadbalance vip icmp-reply active

Hope this helps!

__ __

Pablo

View solution in original post

0 Helpful

Go to solution
Ivan Kovacevic
Cisco Employee
Cisco Employee
In response to Pablo

‎10-11-2010 04:47 PM

Your config is less favorable performance vise. Like this the ACE has to do L7 load-balancing, which means the connection will be proxied at first and then un-proxied. This introduces a small delay and makes things more complex - therefore more costly for ACE resources.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Ivan Kovacevic
Cisco Employee
Cisco Employee

‎10-11-2010 10:06 AM

Why don't you use clasicall access cotrol ACLs on ACE? You could do something like this:

access-list ACL extended permit ip host A host VIP

....

access-list ACL extended deny ip any host VIP

....

access-list ACL extended permit ip any any

interface vlan external_vlan_id

  access-group input ACL

0 Helpful

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎10-11-2010 10:22 AM

Hi,

I think the easier way that you can do this is using a HTTP class-map (regardless of the load balanced protocol, weird eh?)

Instead of an ACL you would use the match source-address command to specify the source allowed to make it to the servers.

Here is how it looks like:

class-map type http loadbalance match-any Hosts

  10 match source-address 192.168.10.20 255.255.255.255

  11 match source-address 192.168.10.21 255.255.255.255

  12 match source-address 192.168.10.22 255.255.255.255

class-map match-any Internet

  2 match virtual-address 192.168.20.15 tcp eq www

policy-map type loadbalance first-match Internet-FMP

  class Hosts

    serverfarm Backend

policy-map multi-match CLIENT-VIPS

  class Internet

    loadbalance vip inservice

    loadbalance policy Internet-FMP

    loadbalance vip icmp-reply active

Hope this helps!

__ __

Pablo

0 Helpful

Go to solution
Ivan Kovacevic
Cisco Employee
Cisco Employee
In response to Pablo

‎10-11-2010 04:47 PM

Your config is less favorable performance vise. Like this the ACE has to do L7 load-balancing, which means the connection will be proxied at first and then un-proxied. This introduces a small delay and makes things more complex - therefore more costly for ACE resources.

0 Helpful

Go to solution
Pablo
Cisco Employee
Cisco Employee
In response to Ivan Kovacevic

‎10-11-2010 06:08 PM

Hi Ivan,

Agree with you about the L7 inspection but in this case we're just doing L3 inspection so full TCP stack processing is not required, the connection is unproxied where the only state information kept is that which the fastpath MP needs in order to rewrite packets as they transit through the ACE.

Also agree with you about the resource usage but delay should not be noticeable unless your ACE is taking up to 250K conns all of them L7 with header/regex inspection.

When it comes to complexity you need to consider t-shooting and network scalability, what would happen if the VIP needs to be changed or dst ports need to be added?

Both configurations should do the trick is just a matter of what CLI handling you prefer.

Regards!

__ __

Pablo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents