cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
750
Views
0
Helpful
3
Replies

Configuring URL Filter in ACE4710

Hi All,

I have 2 ACE4710 in HA enviroment, they receive connection from Internet. What I need to configure is following:

The ACE have configured two URL, with the same port and VIP Address, for example:

URL-1: www.xxxxx.com

URL-2: www.xxxxx.com/Admin

VIP Address: 10.10.10.10

Port: 8443

All clients point to unique VIP and Port configured, I need to know if I can apply any filter or rule that allows me to distinguish when a customer goes to the URL1 or URL2.

If any client try to access to URL-2, your traffic must be deny.

In summary, from Internet I should be able to go only to URL-1.

Thanks for your help.

Regards,

Jaime.

3 Replies 3

pablo.nxh
Level 3
Level 3

Hello Jaime,

Unless you have all the IPs that will be connecting from the Internet the easier way would be to allow only the "internal" clients that are allowed to access URL-2. either with an ACL on the SVI or using multiple L7 class-maps to catch the

different subnets.

HTH

__ __

Pablo

Hello Pablo,

Could you explain me with more details?.

Thanks,

Jaime.

Hi Jaime,

For example say that you're internal network or the networks that you want to have allow access to URL-2 are 192.168.10.0/24 and 172.16.20.0/24; in this scenario will be using nested class-maps.

- This is the class-map to match any source regardless if it is internal or if it comes from Outside.

class-map type http loadbalance match-any URL-1

  2 match http url .*

- Here is the class-map for the URL-2 only accessible for internal users.

class-map type http loadbalance match-any URL-Admin

    2 match http url /admin.*

Create a new match-any class-map where you define the subnets or hosts that will be allowed to hit that URL configured above.

class-map type http loadbalance match-any Internal

  10 match source-address 192.168.10.0 255.255.0.0

  20 match source-address 172.16.20.0 255.255.0.0

Then you combine both "match-any" class-maps under a single "match-all" class-map.

class-map type http loadbalance match-all URL-2

  10 match class-map URL-Admin

  20 match class-map Internal

Finally apply the correct sequence under the first match policy:

policy-map type loadbalance first-match SLB

class URL-2

  serverfarm Internal_Only

class URL-1

   serverfarm Unrestriced.

HTH

__ __

Pablo

Review Cisco Networking for a $25 gift card