Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSM-S and URL filtering.

Hello.

I'm using a CSM-S with software version 2.1(10).

I'm looking for an example to filter some connections using a combination of IP source addresses and URL and redirect these to a dummy server farm.

Many thanks.

Regards.

Andrea

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CSM-S and URL filtering.

Hi Andrea,

In that case, the configuration to be used would be the one below:

policy VLAVORO-permit

client-group 11

url-map VLAVORO-URL-MAP-1

header-map VLAVORO-HDR-MAP-1

serverfarm VLAVORO

!

policy VLAVORO-deny

url-map VLAVORO-URL-MAP-1

header-map VLAVORO-HDR-MAP-1

!

vserver VLAVORO-WWW

no inservice

slb-policy VLAVORO-permit

slb-policy VLAVORO-deny

serverfarm VLAVORO

inservice

Since the VLAVORO-deny policy doesn't include a serverfarm, any connections matching it (the ones matching the URL but not the ACL) will be dropped.

It could be a good idea to add a client group with the inverse of ACL 11 to make the "VLAVORO-permit" and "VLAVORO-deny" policies mutually exclusive, but this is not mandatory because the CSM will process policies in the order they are configured.

I hope this helps

Daniel

12 REPLIES
Cisco Employee

CSM-S and URL filtering.

Hi Andrea,

I don't think there is a configuration example exactly for that, but, I would recommend you to have a look a the link below. It provides some configuration examples for different setups.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/cfgxpls.html

If you combine the examples "Configuring Load-Balancing Decisions Based on the Source IP Address", "

Configuring Layer 7 Load Balancing" and "Configuring HTTP Redirect", you should get to what you are trying to achieve.

If you have specific questions about these examples, just let me know and I'll try to answer them

Regards

Daniel

New Member

Re: CSM-S and URL filtering.

Hello Daniel and many thanks for your help.

I'm reading the configuration examples. I understand that I need to use policy removing the default policy. Really, I need to permit one url to some source addresses and deny for all others!

Now, We are using a simple configuration with one virtual server and two reals.

vserver WWW

  virtual 192.168.150.143 tcp www

  serverfarm WWW

serverfarm WWW

  nat server

  nat client pool A

  real name XXXX

   inservice

  real name YYYY

   inservice

This virtual server offers more one web services, a.domain.com, b.domain.com, c.domain.com.

Using policies I need to permit access to URL a.domain.com/test to some sources only. All other host and URL are always permitted.

Regards.

Andrea

Cisco Employee

Re: CSM-S and URL filtering.

Hi Andrea,

You can still leave the default policy, it will be used for all those connections not matching any other. For those in which you need specific L7 processing (like matching a URL and an ACL), you will have to configure policies

Regards

Daniel

New Member

Re: CSM-S and URL filtering.

Hello Daniel.

What do you thing about my configuration? Only host with IP 10.0.0.10 can access the tests pages.

Thanks.

Regards.

Andrea

!

access-list 11 remark Permit access to URL

access-list 11 permit host 10.0.0.10

!

access-list 12 remark Deny access to URL

access-list 12 deny any log

!

map VLAVORO-HDR-MAP-1 header

match protocol http header Host header-value www.mydomain.com

!

map VLAVORO-URL-MAP-1 url

match protocol http url /tests/*

!

serverfarm VLAVORO-DUMMY

nat server

real name XXXXXXX-1

  inservice

!

policy VLAVORO-URL-1

client-group 11

url-map VLAVORO-URL-MAP-1

header-map VLAVORO-HDR-MAP-1

serverfarm VLAVORO

!

policy VLAVORO-URL-2

client-group 12

url-map VLAVORO-URL-MAP-1

header-map VLAVORO-HDR-MAP-1

serverfarm VLAVORO-DUMMY

!

vserver VLAVORO-WWW

no inservice

slb-policy VLAVORO-URL-1

slb-policy VLAVORO-URL-2

serverfarm VLAVORO

inservice

!

Cisco Employee

Re: CSM-S and URL filtering.

Hi Andrea,

The "VLAVORO-URL-2" policy is useless. Since the client group is associated with a deny all ACL, it will never be matched.

With this configuration, connections will either match the "VLAVORO-URL-1" policy (if they meet the requirements) or be load balanced using the default serverfarm (the one configured under VLAVORO-WWW)

Regards

Daniel

New Member

Re: CSM-S and URL filtering.

Hello Daniel and many thanks for your comments.

Sorry but I'm not able to find any other ideas to solve this problem.

Regards.

Andrea

Cisco Employee

Re: CSM-S and URL filtering.

Hi Andrea,

The problem is I don't really understand what your requirements are. If you just want to allow what matches "VLAVORO-URL-1" and block all the rest, then it would be enough to remove the serverfarm from under the vserver.

If you need a more specific scenario, please explain your exact needs I will try to help

Daniel

New Member

Re: CSM-S and URL filtering.

Hi Daniel.

This is my configuration...

vserver WWW

  virtual 192.168.150.143 tcp www

  serverfarm WWW

serverfarm WWW

  nat server

  nat client pool A

  real name XXXX

   inservice

  real name YYYY

   inservice

This vserver offers more web services, a.domain.com, b.domain.com, c.domain.com.

I need to permit access to URL a.domain.com/tests to some hosts:  to do this I define the policy VLAVORO-URL-1. Then I need to deny access  to the same URL for all others.

Finally, for all other URL use the default.

Many thanks.

Regards.

Andrea

Cisco Employee

Re: CSM-S and URL filtering.

Hi Andrea,

In that case, the configuration to be used would be the one below:

policy VLAVORO-permit

client-group 11

url-map VLAVORO-URL-MAP-1

header-map VLAVORO-HDR-MAP-1

serverfarm VLAVORO

!

policy VLAVORO-deny

url-map VLAVORO-URL-MAP-1

header-map VLAVORO-HDR-MAP-1

!

vserver VLAVORO-WWW

no inservice

slb-policy VLAVORO-permit

slb-policy VLAVORO-deny

serverfarm VLAVORO

inservice

Since the VLAVORO-deny policy doesn't include a serverfarm, any connections matching it (the ones matching the URL but not the ACL) will be dropped.

It could be a good idea to add a client group with the inverse of ACL 11 to make the "VLAVORO-permit" and "VLAVORO-deny" policies mutually exclusive, but this is not mandatory because the CSM will process policies in the order they are configured.

I hope this helps

Daniel

New Member

Re: CSM-S and URL filtering.

Hi Daniel and many thanks again.

Reading the configuration guide I understand that I must associate a server farm with a policy. Because I need to drop connections simply I don't associate a farm.

Regards.

Andrea

Cisco Employee

Re: CSM-S and URL filtering.

Hi Andrea,

Yes, if you don't associate a serverfarm with a policy, anything matching it will just be dropped.

Daniel

New Member

Re: CSM-S and URL filtering.

Many many thanks Daniel.

Regards.

Andrea

671
Views
0
Helpful
12
Replies
CreatePlease to create content