We have a CSS running a single VIP as far as this is concerned. A single SSL- proxy list but two services running behind that.
That is two content rules, one a layer 4, the other a layer 5. We want to restribct access to the later 5 rule to certain users.
As we are using the same SSL, and only splitting out between the two apps after we have decrypted the SSL I don't think the use of client ertificates will help, nor will access lists as they are on the same IP address.
Just in case anyone else finds this in a search, this is what I have in the access list. This is from the lab, so no problem being open!
clause 11 permit any any destination content client/about
clause 30 permit any 10.1.199.3 255.255.255.255 destination content client/secure
clause 35 deny any any destination content client/secure
clause 40 permit tcp any destination any eq telnet
clause 200 permit tcp any destination 10.1.99.51 eq 80
This allows everyone to access the "about" content rule, a single IP to access "secure" and clause 200 is important - it lest the connection come up so that the request can be compared against content rules. A little caveat is that if there is a content rule (eg a L4 content rule) that would allow access to the restricted content, that may allow access.
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
In the Previous articles of ACI Automation, we are using Postman/Newman as the Rest API tool to automate the ACI Configuration.
In this article I’m going to discuss on usin...
One of the first steps in building your ACI Fabric is to go through Fabric Discovery. While Fabric Discovery is usually a straightforward process, there are various issues that may prevent you from discovering an ACI switch. This article wil...