11-24-2011 06:11 AM
Hello.
I'm using a CSM-S with software version 2.1(10).
I'm looking for an example to filter some connections using a combination of IP source addresses and URL and redirect these to a dummy server farm.
Many thanks.
Regards.
Andrea
Solved! Go to Solution.
12-06-2011 06:35 AM
Hi Andrea,
In that case, the configuration to be used would be the one below:
policy VLAVORO-permit
client-group 11
url-map VLAVORO-URL-MAP-1
header-map VLAVORO-HDR-MAP-1
serverfarm VLAVORO
!
policy VLAVORO-deny
url-map VLAVORO-URL-MAP-1
header-map VLAVORO-HDR-MAP-1
!
vserver VLAVORO-WWW
no inservice
slb-policy VLAVORO-permit
slb-policy VLAVORO-deny
serverfarm VLAVORO
inservice
Since the VLAVORO-deny policy doesn't include a serverfarm, any connections matching it (the ones matching the URL but not the ACL) will be dropped.
It could be a good idea to add a client group with the inverse of ACL 11 to make the "VLAVORO-permit" and "VLAVORO-deny" policies mutually exclusive, but this is not mandatory because the CSM will process policies in the order they are configured.
I hope this helps
Daniel
11-24-2011 07:35 AM
Hi Andrea,
I don't think there is a configuration example exactly for that, but, I would recommend you to have a look a the link below. It provides some configuration examples for different setups.
If you combine the examples "Configuring Load-Balancing Decisions Based on the Source IP Address", "
Configuring Layer 7 Load Balancing" and "Configuring HTTP Redirect", you should get to what you are trying to achieve.
If you have specific questions about these examples, just let me know and I'll try to answer them
Regards
Daniel
11-25-2011 01:43 AM
Hello Daniel and many thanks for your help.
I'm reading the configuration examples. I understand that I need to use policy removing the default policy. Really, I need to permit one url to some source addresses and deny for all others!
Now, We are using a simple configuration with one virtual server and two reals.
vserver WWW
virtual 192.168.150.143 tcp www
serverfarm WWW
serverfarm WWW
nat server
nat client pool A
real name XXXX
inservice
real name YYYY
inservice
This virtual server offers more one web services, a.domain.com, b.domain.com, c.domain.com.
Using policies I need to permit access to URL a.domain.com/test to some sources only. All other host and URL are always permitted.
Regards.
Andrea
12-02-2011 02:27 AM
Hi Andrea,
You can still leave the default policy, it will be used for all those connections not matching any other. For those in which you need specific L7 processing (like matching a URL and an ACL), you will have to configure policies
Regards
Daniel
12-05-2011 05:25 AM
Hello Daniel.
What do you thing about my configuration? Only host with IP 10.0.0.10 can access the tests pages.
Thanks.
Regards.
Andrea
!
access-list 11 remark Permit access to URL
access-list 11 permit host 10.0.0.10
!
access-list 12 remark Deny access to URL
access-list 12 deny any log
!
map VLAVORO-HDR-MAP-1 header
match protocol http header Host header-value www.mydomain.com
!
map VLAVORO-URL-MAP-1 url
match protocol http url /tests/*
!
serverfarm VLAVORO-DUMMY
nat server
real name XXXXXXX-1
inservice
!
policy VLAVORO-URL-1
client-group 11
url-map VLAVORO-URL-MAP-1
header-map VLAVORO-HDR-MAP-1
serverfarm VLAVORO
!
policy VLAVORO-URL-2
client-group 12
url-map VLAVORO-URL-MAP-1
header-map VLAVORO-HDR-MAP-1
serverfarm VLAVORO-DUMMY
!
vserver VLAVORO-WWW
no inservice
slb-policy VLAVORO-URL-1
slb-policy VLAVORO-URL-2
serverfarm VLAVORO
inservice
!
12-06-2011 05:04 AM
Hi Andrea,
The "VLAVORO-URL-2" policy is useless. Since the client group is associated with a deny all ACL, it will never be matched.
With this configuration, connections will either match the "VLAVORO-URL-1" policy (if they meet the requirements) or be load balanced using the default serverfarm (the one configured under VLAVORO-WWW)
Regards
Daniel
12-06-2011 05:39 AM
Hello Daniel and many thanks for your comments.
Sorry but I'm not able to find any other ideas to solve this problem.
Regards.
Andrea
12-06-2011 05:59 AM
Hi Andrea,
The problem is I don't really understand what your requirements are. If you just want to allow what matches "VLAVORO-URL-1" and block all the rest, then it would be enough to remove the serverfarm from under the vserver.
If you need a more specific scenario, please explain your exact needs I will try to help
Daniel
12-06-2011 06:18 AM
Hi Daniel.
This is my configuration...
vserver WWW
virtual 192.168.150.143 tcp www
serverfarm WWW
serverfarm WWW
nat server
nat client pool A
real name XXXX
inservice
real name YYYY
inservice
This vserver offers more web services, a.domain.com, b.domain.com, c.domain.com.
I need to permit access to URL a.domain.com/tests to some hosts: to do this I define the policy VLAVORO-URL-1. Then I need to deny access to the same URL for all others.
Finally, for all other URL use the default.
Many thanks.
Regards.
Andrea
12-06-2011 06:35 AM
Hi Andrea,
In that case, the configuration to be used would be the one below:
policy VLAVORO-permit
client-group 11
url-map VLAVORO-URL-MAP-1
header-map VLAVORO-HDR-MAP-1
serverfarm VLAVORO
!
policy VLAVORO-deny
url-map VLAVORO-URL-MAP-1
header-map VLAVORO-HDR-MAP-1
!
vserver VLAVORO-WWW
no inservice
slb-policy VLAVORO-permit
slb-policy VLAVORO-deny
serverfarm VLAVORO
inservice
Since the VLAVORO-deny policy doesn't include a serverfarm, any connections matching it (the ones matching the URL but not the ACL) will be dropped.
It could be a good idea to add a client group with the inverse of ACL 11 to make the "VLAVORO-permit" and "VLAVORO-deny" policies mutually exclusive, but this is not mandatory because the CSM will process policies in the order they are configured.
I hope this helps
Daniel
12-06-2011 06:49 AM
Hi Daniel and many thanks again.
Reading the configuration guide I understand that I must associate a server farm with a policy. Because I need to drop connections simply I don't associate a farm.
Regards.
Andrea
12-07-2011 01:44 AM
Hi Andrea,
Yes, if you don't associate a serverfarm with a policy, anything matching it will just be dropped.
Daniel
12-07-2011 02:21 AM
Many many thanks Daniel.
Regards.
Andrea
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide