Re: CSS 11503 Bypassing Content Rules

alanwright1 · ‎01-11-2007

Hi,

I am trying to decipher how to bypass the content rules being processed to allow the traffic to go direct to the real (origin) server without going via a loadbalanced device. As I know the destination IP's it seems to me that I can use ACL's with the bypass keyword, to bypass the rule engine. If this is true, then I have a couple of questions regarding ACL's in CSS.

1. CSS ACL's seem to support 255 clauses, can they support more entries say 500?

2. If the answer to Q1 is no, then can I apply more than one ACL to a circuit?

BR

Alan

Gilles Dufour · ‎01-11-2007

Alan,

it's more simple than that.

If you want to access the real server directly use its ip address instead of the virtual ip.

The CSS is also a router/switch so it will route traffic that does not match a virtual ip.

No need for acl [except maybe to permit the traffic if you had it denied].

Gilles.

alanwright1 · ‎01-11-2007

Thanks Gilles,

Can CSS support the setup of 500 VIPs?

BR

Alan

Gilles Dufour · ‎01-11-2007

Alan,

yes, you can have 500 vips on a CSS.

Gilles.

alanwright1 · ‎01-11-2007

Hi Gilles,

Thanks again for the feedback.

As I have no IP for the content defined, it'll try to match any IP. So I see two options now, given that I need to filter out approx 500 ip's from the "catch all" content rule.

1. Bypass using ACL and NQL have a single NQL with 500 IP host entries. Linking this to a single clause in the ACL assigned to the incoming interface.

2. Add 500 contents rules with each vip assigned into one content rule.

Would you agree that the better approach would be to use option 1 as it would contain less config?

BR

Alan

Gilles Dufour · ‎01-11-2007

Alan,

ok, I see the need for the bypass now.

I think that option 1 is much better.

Gilles.