08-01-2013 06:26 AM
Working in new enviornment and need to confirm traffic restricted to only ssh and https
interface gigabitEthernet 1/1
description REAL SERVERS SDE
speed 1000M
duplex FULL
switchport access vlan 200
no shutdown
interface gigabitEthernet 1/2
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
speed 1000M
duplex FULL
switchport access vlan 500
no shutdown
access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit tcp any any
access-list ALL line 10 extended permit udp any any
access-list ALL line 11 extended permit icmp any any
probe icmp PING
ip address 162.16.103.200 routed
probe icmp PING1
ip address 162.16.103.201 routed
parameter-map type http cisco_avs_parametermap
persistence-rebalance
length-exceed continue
rserver host Arges
ip address 162.16.103.200
conn-limit max 4000000 min 4000000
probe PING
inservice
rserver host Brontes
ip address 162.16.103.201
conn-limit max 4000000 min 4000000
probe PING1
inservice
action-list type optimization http WEB-ACTION-LIST
flashforward
action-list type optimization http cisco_avs_container_latency
flashforward
action-list type optimization http cisco_avs_img_latency
flashforward
action-list type optimization http cisco_avs_obj_latency
flashforward
serverfarm host VIRTUAL-SERVER-FARM
rserver Arges 80
backup-rserver Brontes 80
conn-limit max 4000000 min 4000000
probe PING1
probe PING
inservice
rserver Brontes 80
conn-limit max 4000000 min 4000000
probe PING
probe PING1
inservice
class-map match-any VIRTUAL-SERVER-11
2 match virtual-address 10.10.10.11 tcp any
class-map match-any VIRTUAL-SERVER-20
2 match virtual-address 10.10.10.20 tcp eq www
class-map match-any VIRTUAL-SERVER-21
2 match any
class-map type http loadbalance match-all cisco_avs_container_latency
2 match http url http://10.10.10.*/browser/*
class-map type http loadbalance match-any cisco_avs_img_latency
2 match http url .*jpg
3 match http url .*jpeg
4 match http url .*jpe
5 match http url .*png
6 match http url .*aspx
7 match http url .*aspd
8 match http url .*axd
9 match http url .*axs
10 match http url .i*
class-map type http loadbalance match-any cisco_avs_obj_latency
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*aspx
16 match http url .*aspd
17 match http url .*axd
18 match http url .*axs
19 match http url .*
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
9 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match VIRTUAL-SERVER-11-l7slb
class class-default
serverfarm VIRTUAL-SERVER-FARM
policy-map type loadbalance first-match VIRTUAL-SERVER-20-l7slb
class class-default
serverfarm VIRTUAL-SERVER-FARM
policy-map type optimization http first-match VIRTUAL-SERVER-20-l7opt
class cisco_avs_obj_latency
action cisco_avs_obj_latency
class cisco_avs_img_latency
action cisco_avs_img_latency
class cisco_avs_container_latency
action cisco_avs_container_latency
policy-map multi-match int500
class VIRTUAL-SERVER-20
loadbalance vip inservice
loadbalance policy VIRTUAL-SERVER-20-l7slb
optimize http policy VIRTUAL-SERVER-20-l7opt
loadbalance vip icmp-reply active
appl-parameter http advanced-options cisco_avs_parametermap
class VIRTUAL-SERVER-11
loadbalance vip inservice
loadbalance policy VIRTUAL-SERVER-11-l7slb
loadbalance vip icmp-reply active
interface vlan 200
description "REAL SERVERS"
ip address 162.16.103.1 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 500
description ACE CLIENT VLANE_Client VLAN
ip address 10.10.10.5 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input int500
no shutdown
interface vlan 820
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
snmp-server contact "CHARLES"
snmp-server location "DEP 2"
snmp-server community LM-DEP2 group Network-Monitor
snmp-server trap-source vlan 820
08-09-2013 05:37 AM
Can you clarify what you mean by "traffic restricted to ssh & https" ? Ie: do you mean only ssh & https mgmt traffic to the ace, only https and ssh towards the vip or only ssh & https through the box (not load balanced) ? Matthew