Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Source Base Policy

Hi,

I hav ACE 4710, I am trying to configure a policy in which when specific Client tries to access the

speicific Destination. ACE should not send the traffic to load balancing. It should directly send to the

next Hop.

I configred the below but didnt able to achieve my object.


access-list source_IP line 8 extended permit ip host 192.168.146.123 host 198.xx.xx.2


class-map match-all CM_BYPASS_SOURCE
  2 match access-list source_IP

policy-map type loadbalance http first-match PM_L7_BYPASS_SOURCE
  class class-default
    forward

policy-map multi-match PM_BYPASS_SOURCE

  class CM_BYPASS_SOURCE

interface vlan 500

 

  service-policy input PM_BYPASS_SOURCE

  service-policy input PM_MAIN_SERVER

But I am not able to reach to destination. MY source traffic is still diverting to the Load balancing server. I dont want it to redirect to LB server.

Please assist what I am missing.

Everyone's tags (4)
17 REPLIES
Cisco Employee

Source Base Policy

Hi,

Any traffic that is not destined for VIP will pass through from ACE.

Are you trying to send this particular client's traffic to next hop even though the destination is VIP address on ACE ?

Where is this client located and where is this destination in your network?

The client getting load balanced to a serverfarm indicates that you are trying to send the traffic to VIP which of course will be load balanced.

Regards,

Kanwal

New Member

Source Base Policy

Hi,

Source is my inside Network of VLAN 500 and Destination is on the Internet.

ACE is having default route towards the Internet Firewall.


I m doing redirection of Port 80 and 443 on the ACE. Any traffic 80 and 443 is being redirecting by ACE to the Proxy Server.

I dont want it to be happen on few LAN users when they are trying to access few external websites.


When specific sources of my LAN hitting to 193.x.x.x or any Public Server I want ACE to send it to the next hop instead of

the redirecting to the Proxy or any other load balancing Server.

Cisco Employee

Source Base Policy

Hi,

Please send me the relevant configuration here.

Please include the configuration you have done for redirecting clients to proxy as well as the configuration you have done for  the specifc clients for which you don't want redirection.

you can also send me the complete show run output. Just mention the interesting IP's and farms.

Regards,

Kanwal

New Member

Re: Source Base Policy

Hi,

Please see the below configuration.


access-list source_IP line 8 extended permit ip host 192.168.25.89 host 198.xx.xxx.xxx


probe tcp PROBE_HTTPS
  port 443
  interval 15
  passdetect interval 60
  open 1
probe tcp PROBE_TCP
  port 80
  interval 15
  passdetect interval 60
  open 1
probe tcp PROBE_TCP_443
  port 443
  interval 15
  passdetect interval 60
  open 1

parameter-map type http PARAMAP_CASE
  case-insensitive
  no persistence-rebalance

rserver host PLATTS_APP
  ip address 192.168.0.1
  inservice
rserver host RS_BCPR01
  ip address 192.168.200.103
  inservice
rserver host RS_BCPR02
  ip address 192.168.200.104
  inservice

serverfarm host SF_BCPR
  transparent
  probe PROBE_TCP
  rserver RS_BCPR01
    inservice
  rserver RS_BCPR02
    inservice
serverfarm host SF_BCPR_https
  transparent
  probe PROBE_TCP_443
  rserver RS_BCPR01
    inservice
  rserver RS_BCPR02
    inservice


sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
  replicate sticky
  serverfarm SF_BCPR

sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE-HTTPS
  replicate sticky
  serverfarm SF_BCPR_https

class-map match-all CM_BYPASS_SOURCE
  2 match access-list source_IP

class-map match-all CM_SF_BCPR
  255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www

class-map match-all CM_SF_BCPR_HTTPS
  2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq https

policy-map type management first-match PM_ALL
  class CM_ALL
    permit

policy-map type loadbalance http first-match PM_L7_BYPASS_SOURCE

  class class-default
    forward

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
  class class-default
    sticky-serverfarm STICKY-SOURCE

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
  match GITWLAN source-address 192.168.22.0 255.255.255.0
  class class-default
    forward

policy-map multi-match PM_MAIN_BCPROXY
  class CM_SF_BCPR
    loadbalance vip inservice
    loadbalance policy PM_LB_SF_BCPROXY
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options PARAMAP_CASE

  class CM_SF_BCPR_HTTPS
    loadbalance vip inservice
    loadbalance policy PM_LB_SF_BCPROXY_https
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options PARAMAP_CASE

service-policy input PM_ALL

interface vlan 300
  service-policy input PM_BYPASS_SOURCE
  service-policy input PM_MAIN_BCPROXY
  no shutdown

Cisco Employee

Source Base Policy

Hi,

Please use this class map under policy multi-match call  policy PM_L7_BYPASS_SOURCE under it. I guess that should work fine.

policy-map type loadbalance http first-match PM_L7_BYPASS_SOURCE

  class class-default
    forward

class-map match-all CM_BYPASS_SOURCE
  2 match access-list source_IP

So it should look like this:

policy-map multi-match PM_MAIN_BCPROXY

class CM_BYPASS_SOURCE

loadbalance policy

PM_L7_BYPASS_SOURCE

   class CM_SF_BCPR
    loadbalance vip inservice
    loadbalance policy PM_LB_SF_BCPROXY
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options PARAMAP_CASE

  class CM_SF_BCPR_HTTPS
    loadbalance vip inservice
    loadbalance policy PM_LB_SF_BCPROXY_https
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options PARAMAP_CASE

And this policy should be used on client side vlan.

Let me know how it goes.

Regards,

Kanwal

New Member

Re: Source Base Policy

Hi,

I applied the configuration but getting error as mention below

loadbalance vip inservice

Error: LB action requires match vip command

I didnt define any VIP and I didnt configure the class-map for VIP as well.

MY current configuration mention below

class-map match-all CM_BYPASS_SOURCE
  2 match access-list source_IP


policy-map type loadbalance http first-match PM_L7_BYPASS_SOURCE
  class class-default
    forward


policy-map multi-match PM_BYPASS_SOURCE
  class CM_BYPASS_SOURCE

loadbalance vip inservice
Error: LB action requires match vip command

Please assist

Cisco Employee

Re: Source Base Policy

Hi,

Please use loadbalance policy . Don't use load vip inservice.

Regards,

Kanwal

New Member

Re: Source Base Policy

Hi,

I tried with the policy name but still getting the same error.

policy-map multi-match PM_BYPASS_SOURCE

class CM_BYPASS_SOURCE

loadbalance policy PM_L7_BYPASS_SOURCE

Error: LB action requires match vip command policy-map multi-match PM_BYPASS_SOURCE

Cisco Employee

Source Base Policy

Hi,

hmm.. i am out of office and would test this tomorrow. It seems that loadbalance command will only take effect if you have a corresponding VIP class map which makes sense.

If no one replies till tomorrow, i will update you. If you get an answer then it is great. Let me figure this out in lab.

Regards,

Kanwal

Cisco Employee

Source Base Policy

Hi,

Please try this:

class-map match-all BYPASS
  2 match virtual-address 193.0.0.0 any-------------->This is your desired public server on internet


class-map type generic match-all SOURCEL7
  2 match source-address 192.168.25.89 255.255.255.255--->This is your desired source from LAN.

policy-map type loadbalance generic first-match Bypass

  class SOURCEL7

    forward

policy-map multi-match PM_BYPASS_SOURCE

class BYPASS---------------------------------------------------->Should be above 80 and 443 class maps.

loadbalance policy Bypass

loadbalance vip inservice

Try this and let me know please.

Regards,

Kanwal

New Member

Source Base Policy

Hi,

I tried but didnt work for me. I am trying to bypass cisco.com.

Bleow is the configuraiton.

class-map match-all CM_BYPASS_SOURCE
  2 match virtual-address 198.133.219.25 any

class-map type generic match-all CM_BYPASS_USERS
  2 match source-address 192.168.80.89 255.255.255.255

policy-map type loadbalance generic first-match PM_L7_BYPASS_USERS
  class CM_BYPASS_USERS
    forward


policy-map multi-match PM_BYPASS_SOURCE
  class CM_BYPASS_SOURCE
    loadbalance vip inservice
    loadbalance policy PM_L7_BYPASS_USERS


interface vlan 300
 
  service-policy input PM_BYPASS_SOURCE
  service-policy input PM_MAIN_BCPROXY
 

show service-policy PM_BYPASS_SOURCE detail

Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 1 300
  service-policy: PM_BYPASS_SOURCE
    class: CM_BYPASS_SOURCE
     VIP Address:    Protocol:  Port:
     198.133.219.25  any
      loadbalance:
        L7 loadbalance policy: PM_L7_BYPASS_USERS
        VIP ICMP Reply       : DISABLED
        VIP State: INSERVICE
        curr conns       : 0         , hit count        : 0        
        dropped conns    : 0        
        client pkt count : 0         , client byte count: 0                  
        server pkt count : 0         , server byte count: 0                  
        conn-rate-limit      : 0         , drop-count : 0        
        bandwidth-rate-limit : 0         , drop-count : 0        
        L7 Loadbalance policy : PM_L7_BYPASS_USERS
          class/match : CM_BYPASS_USERS
            LB action : forward
            hit count        : 0        
            dropped conns    : 0        
            compression      : off
      compression:
        bytes_in  : 0                  
        bytes_out : 0                  
        Compression ratio : 0.00%

One more thing, I need to add more public Destination and more source IP addresses. So I will create the class-map with match any so that I can more IP address.

Please advise.

Cisco Employee

Source Base Policy

Hi,

Have you applied this policy to correct interface?

Also, if possible can you send me the complete output of show running-config?

Regards,

Kanwal

New Member

Re: Source Base Policy

Hi,

Please find attached.

New Member

Re: Source Base Policy

Hi,

Appreciate assistance on this configure issue.

New Member

Re: Source Base Policy

Hi,

Request for assistance in achieving the below mention requirement.

How can I bypass my specific source IP not to load balance when they are hitting to specific External Public IP address.

New Member

Source Base Policy

Hi,

Appreciate your help in this regard.

Cisco Employee

Source Base Policy

honeslty, that's going to be painful to setup.  If possible, let the proxy/cache decide what to bypass.

Anyway, the right way to do it.

If you want to some source to bypass the proxy completely, you should do it inside the 'loadbalance' policy-map.

ie:

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https

  match BYPASS1 source-address 192.168.80.89 255.255.255.255

    forward

  match ....

    ...

Obviously, if this is per destination, your way should work.

Except that for traffic matching cisco but not being a bypass source you will have trouble since there is no matching rule.

Once we matched a multimatch entry, we try to find a corresponding action.  If none, traffic is dropped.  We do not go to the next multi-match.

So in your case, you should configure a class-default to loadbalance the other traffic.

In your output, there is no match to your policy.

Take a sniffer trace to see if you do get traffic sent to the ip you configured.

There are multiple ip for www.cisco.com

ie for me :

C:\Users\gdufour>ping www.cisco.com

Pinging origin-www.cisco.com [72.163.4.161]

Gilles.

953
Views
3
Helpful
17
Replies