Configuring URL Filter in ACE4710
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2011 09:45 AM
Hi All,
I have 2 ACE4710 in HA enviroment, they receive connection from Internet. What I need to configure is following:
The ACE have configured two URL, with the same port and VIP Address, for example:
URL-1: www.xxxxx.com
URL-2: www.xxxxx.com/Admin
VIP Address: 10.10.10.10
Port: 8443
All clients point to unique VIP and Port configured, I need to know if I can apply any filter or rule that allows me to distinguish when a customer goes to the URL1 or URL2.
If any client try to access to URL-2, your traffic must be deny.
In summary, from Internet I should be able to go only to URL-1.
Thanks for your help.
Regards,
Jaime.
- Labels:
-
Application Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2011 10:56 AM
Hello Jaime,
Unless you have all the IPs that will be connecting from the Internet the easier way would be to allow only the "internal" clients that are allowed to access URL-2. either with an ACL on the SVI or using multiple L7 class-maps to catch the
different subnets.
HTH
__ __
Pablo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2011 11:32 AM
Hello Pablo,
Could you explain me with more details?.
Thanks,
Jaime.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2011 05:36 PM
Hi Jaime,
For example say that you're internal network or the networks that you want to have allow access to URL-2 are 192.168.10.0/24 and 172.16.20.0/24; in this scenario will be using nested class-maps.
- This is the class-map to match any source regardless if it is internal or if it comes from Outside.
class-map type http loadbalance match-any URL-1
2 match http url .*
- Here is the class-map for the URL-2 only accessible for internal users.
class-map type http loadbalance match-any URL-Admin
2 match http url /admin.*
Create a new match-any class-map where you define the subnets or hosts that will be allowed to hit that URL configured above.
class-map type http loadbalance match-any Internal
10 match source-address 192.168.10.0 255.255.0.0
20 match source-address 172.16.20.0 255.255.0.0
Then you combine both "match-any" class-maps under a single "match-all" class-map.
class-map type http loadbalance match-all URL-2
10 match class-map URL-Admin
20 match class-map Internal
Finally apply the correct sequence under the first match policy:
policy-map type loadbalance first-match SLB
class URL-2
serverfarm Internal_Only
class URL-1
serverfarm Unrestriced.
HTH
__ __
Pablo
