Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
10
Helpful
2
Replies

Combining layer 3/4 and layer 7 filtering

resbanknet
Level 1
Level 1

‎08-24-2010 04:00 AM

Hi.

The configuration below is extracted from a working configuration where the ACE is doing SSL offload for a web service - this is pretty standard stuff.

What I have been asked to do is modify the configuration so that:

1) Any connections from an internal source (this will be the 10.0.0/8 and 17.16.0.0/16 range of IP's) can continue to access any URL.

2) Any other connections - which will be from an external source - are only allowed to access URL's beginning with /public and /downloads.

Can you please advise me on how to change this?  If necessary, I can define a second VIP for the external connections and setup the DNS appropriately.

Thanks in advance

___________________________________________

crypto chaingroup WEBSERVER_CHAIN
  cert WEBSERVER.CER
  cert VERISIGN.CER

probe tcp WEBSERVER
  port 7777

ssl-proxy service SSL_PROXY_WEBSERVER
  key WEBSERVER.KEY
  cert WEBSERVER.CER
  chaingroup WEBSERVER_CHAIN

serverfarm host WEBSERVER
  probe WEBSERVER
  rserver SERVER1 7777
    inservice
  rserver SERVER2 7777
    inservice

sticky http-cookie WEBSERVER_COOKIE WEBSERVER_StickyGroup
  cookie insert browser-expire
  replicate sticky
  serverfarm WEBSERVER

class-map match-all WEBSERVER
  10 match virtual-address 172.16.16.1 tcp eq https

policy-map type loadbalance first-match WEBSERVER_L7
  class class-default
    sticky-serverfarm WEBSERVER_StickyGroup


policy-map multi-match GlobalLB
class WEBSERVER
    loadbalance vip inservice
    loadbalance policy WEBSERVER_L7
    loadbalance vip icmp-reply
    ssl-proxy server SSL_PROXY_WEBSERVER

Labels:
0 Helpful
2 Replies 2

litrenta
Level 3
Level 3

‎08-24-2010 05:31 AM

first make class maps to characterize the traffic:

class-map type http loadbalance match-all ten
  2 match source-address 10.0.0.0 255.0.0.0
  4 match http url .*

class-map type http loadbalance match-all seventeen
  2 match source-address 17.16.0.0 255.255.0.0
  4 match http url .*

class-map type http loadbalance match-any restrict
  2 match http url /public.*
  4 match http url /downloads.*

then use in load balance policy as follows:

policy-map type loadbalance first-match WEBSERVER_L7

class ten

sticky-serverfarm WEBSERVER_StickyGroup

class seventeen

sticky-serverfarm WEBSERVER_StickyGroup

class restrict

sticky-serverfarm WEBSERVER_StickyGroup

if you want to send outside users with other urls to a sorry page you would have a server in a serverfarm taht would do that and use it in a class class-default on the bottom of the load balance policy. The matches on load balance policy are top down so order is important.

EPHRAIM MANI
Level 3
Level 3
In response to litrenta

‎08-24-2010 09:54 PM

As usual your posts are informative litrenta

Customers Also Viewed These Support Documents