Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
417
Views
10
Helpful
2
Replies

Combining layer 3/4 and layer 7 filtering

resbanknet
Level 1
Level 1

‎08-24-2010 04:00 AM

Hi.

The configuration below is extracted from a working configuration where the ACE is doing SSL offload for a web service - this is pretty standard stuff.

What I have been asked to do is modify the configuration so that:

1) Any connections from an internal source (this will be the 10.0.0/8 and 17.16.0.0/16 range of IP's) can continue to access any URL.

2) Any other connections - which will be from an external source - are only allowed to access URL's beginning with /public and /downloads.

Can you please advise me on how to change this?  If necessary, I can define a second VIP for the external connections and setup the DNS appropriately.

Thanks in advance

___________________________________________

crypto chaingroup WEBSERVER_CHAIN
  cert WEBSERVER.CER
  cert VERISIGN.CER

probe tcp WEBSERVER
  port 7777

ssl-proxy service SSL_PROXY_WEBSERVER
  key WEBSERVER.KEY
  cert WEBSERVER.CER
  chaingroup WEBSERVER_CHAIN

serverfarm host WEBSERVER
  probe WEBSERVER
  rserver SERVER1 7777
    inservice
  rserver SERVER2 7777
    inservice

sticky http-cookie WEBSERVER_COOKIE WEBSERVER_StickyGroup
  cookie insert browser-expire
  replicate sticky
  serverfarm WEBSERVER

class-map match-all WEBSERVER
  10 match virtual-address 172.16.16.1 tcp eq https

policy-map type loadbalance first-match WEBSERVER_L7
  class class-default
    sticky-serverfarm WEBSERVER_StickyGroup


policy-map multi-match GlobalLB
class WEBSERVER
    loadbalance vip inservice
    loadbalance policy WEBSERVER_L7
    loadbalance vip icmp-reply
    ssl-proxy server SSL_PROXY_WEBSERVER

Labels:
0 Helpful
2 Replies 2

litrenta
Level 3
Level 3

‎08-24-2010 05:31 AM

first make class maps to characterize the traffic:

class-map type http loadbalance match-all ten
  2 match source-address 10.0.0.0 255.0.0.0
  4 match http url .*

class-map type http loadbalance match-all seventeen
  2 match source-address 17.16.0.0 255.255.0.0
  4 match http url .*

class-map type http loadbalance match-any restrict
  2 match http url /public.*
  4 match http url /downloads.*

then use in load balance policy as follows:

policy-map type loadbalance first-match WEBSERVER_L7

class ten

sticky-serverfarm WEBSERVER_StickyGroup

class seventeen

sticky-serverfarm WEBSERVER_StickyGroup

class restrict

sticky-serverfarm WEBSERVER_StickyGroup

if you want to send outside users with other urls to a sorry page you would have a server in a serverfarm taht would do that and use it in a class class-default on the bottom of the load balance policy. The matches on load balance policy are top down so order is important.

EPHRAIM MANI
Level 3
Level 3
In response to litrenta

‎08-24-2010 09:54 PM

As usual your posts are informative litrenta

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents