Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
793
Views
0
Helpful
1
Replies

ACE SSL Sticky class-map generic vs class default differences.

paul.rehill
Level 1
Level 1

‎03-25-2010 10:37 AM

There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.

Can anyone explain the benefits and differences of using a specific class-map generic such as this:

class-map type generic match-any SSL-v3-32
  2 match layer4-payload regex "\x16\x03\x00..\x01.*"

  3 match layer4-payload regex "\x16\x03\x01..\x01.*"

Versus just matching class default?

So if I have a configuration such as this:

policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
   sticky-serverfarm ssl-v3

vs

policy-map type loadbalance generic first-match SSL-v3-Sticky
class class-default
   sticky-serverfarm ssl-v3

What's the benefit or drawback?

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎03-29-2010 04:59 AM

The SSL session id is only available in version 3.0.1 and 3.1.1

So you can match this particular version and then attempt to do stickyness.

You are guaranteed to find what you're looking for.

If you match a class-default it means you apply stickyness to any version of ssl packet.

So there is a risk to misinterpret the content of the packet and stick on something else than the session id.

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents