Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
5
Replies

ACE4710 and url based inspection

srdjankatic
Level 1
Level 1

‎11-29-2013 01:43 AM

Dear all,

i have one server farm with app servers that serve web app on ceratin url, let's say   http://server:port/application1.

I nedd to publish different module  off same app on same ip and port but different url to another group of users, let's say  http://server:port/application2.

When second group of users type /application1 they should not be allowed to get login page, only for url /application2

I was thinking about L7 policy. ACE4710 is not xml firewall but is it possible to set authorization or L7 acl based on url on web server?

How would you implement this solution in my case?

Thank You

Labels:
0 Helpful
5 Replies 5

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎11-29-2013 06:30 AM

Hi,

ACE have the capacity to inspect L7 information and take decisions but if i have understood your requirement correctly , you want both the URL's resolved to same VIP and loadbalanced to same serverfarm  but second group shouldn't have access to application in case they use URL used by first group.

I am not sure how ACE would differentiate between different set of groups. If you want that any user coming with , for example, application2 needs to be dropped that can be done.

I haven't tested but you can try a combination of "match source address and match url" and use different VIP's and get loadbalanced to same set of real servers running same application in different serverfarms.

For one group:


class-map type http loadbalance match-all test11
  2 match source-address 1.1.1.1 255.255.255.255
  3 match http url /test1

class-map match-all testing

  2 match virtual-address 2.2.2.2 tcp eq www

For second group:

class-map type http loadbalance match-all test12

2 match source-address 3.3.3.3 255.255.255.255

3 match http url /test2

class-map match-all testing

2 match virtual-address 4.4.4.4 tcp eq www

Regards,

Kanwal

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to Kanwaljeet Singh

‎11-29-2013 06:36 AM

Hi,

In fact i was thinking if you are using loadbalancing based on src IP, you don't need to define URL there.

Just get users from 1 group to one vip and 2 group to another and get them to loadbalance traffic to same rservers in different serverfarms.

Regards,

Kanwal

0 Helpful

srdjankatic
Level 1
Level 1
In response to Kanwaljeet Singh

‎11-29-2013 07:24 AM

Hi Kanwal, tnx for quick response.

This idea is based on security requirement

With your config if second group go to second VIP but add url for first group, (by mistake or with intesion) will they be able to get login screen for app1 for first group since same rserver hosts both urls? Idea is to de facto prevent second group user to type /application1 and get login page, they should be denied.

  I will try your config soon as possible and test also.

Tnx,

Srdjan

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to srdjankatic

‎11-29-2013 07:29 AM

Hi Srdjan,

If the users will not match the condition in class-map they will be dropped there itself and question of users going to real server doesn't arise.

You will have to define different VIP and different conditions for different set of users.

Regards,

Kanwal

0 Helpful

srdjankatic
Level 1
Level 1
In response to Kanwaljeet Singh

‎11-29-2013 07:39 AM

Thank you Kanwal, will try it next week.

0 Helpful
Customers Also Viewed These Support Documents