Showing results for 
Search instead for 
Did you mean: 

HOWTO: explicitly send particular host traffic to one rserver in a serverfarm

Hi Guys,

At the moment we have a situation where we have one serverfarm, with rserverA and rserverB, behind one VIP address.

We would like to do the following:

1) Send a select list of Client IP's to rserver A.

2) The rest of the traffic to rserver B.

Is this possible?

Any code segments would be help as well.

Also we are doing stickiness based on source IP address.

Let me know if you need anymore info?




Hi Rob,

You can do this using either ACLs which can become difficult to t-shoot or the easy/scalable way with L7 policy load balance.

You need to do create new serverfarms where you will include only serverfarm A and B separately.

serverfarm host A

  rserver A


serverfarm host B

  rserver B


- Here you would match the different hosts/subnets

class-map type http loadbalance match-any Host-A
  2 match source-address

  3 match source-address

class-map type http loadbalance match-any Host-B
   2 match source-address

-  Then you do your first match policy. This is a logic "OR"  supposing there are clients that will not fall wihtin the subnets/hosts described above, class-default will take care of that traffic and will end up being load balancing to the "Mixed" serverfam.

policy-map type loadbalance first-match LB

  class Host-A

    serverfarm A

  class Host-B

    serverfarm B

  class class-default  

     sticky-serverfarm Mixed


__ __


Sorry for the delayed response,

we are trying to work out if the code above will only match on 'http' traffic? we need to match on both http and https traffic.

At the moment I have coded this:


class-map type http loadbalance MY_TEST_FARM

2 match source-address


so by default if I have left out the 'match-all' or 'match-any' what is the default action?

Thank you in advance,


Hi Rob,

The class-maps type http will work to match both; HTTP and HTTPS because in this case the ACE won't need to check beyond layer 3 to make a decision.You can also do it with a generic class-map but it is pretty much the same thing.

class-map type generic match-any LB

10 match source-address

The default action; if not specified is a "match-all"


__ __


Hi Pablo,

we got this working, with the http policy.

Just wondering though when we have the following command:

"policy-map type loadbalance first-match LB"

I couldn't see issue a generic class map after this, just the http class maps, is the above line default to only reference certain class-maps?



Hi Rob,

Glad to hear you got working!!!

Problem with generic class-maps is that can only be attached under "type" generic first-match policies,

i.e "policy-map type loadbalance generic LB"

Personally I've never seen generic policies being used; as the documentation states "use this keyword to provide support for protocols that the ACE does not explicitly support".You rarely see a "not supported" protocol because most of them work at layer 4 which represents not problem to the ACE.

"Is the above line default to only reference certain class-maps?"

Well... kinda, it allows you to match layer 3-4 class-maps and HTTP (L5), HTTP class-maps are design for L5 matching but they can also inspect from L3 to L7. HTTPS is readable up to layer 4 to the ACE or any device (if SSL termination is not configured); so that's why you can do a "source-match" for SSL traffic under a HTTP class-map/policy-match; in this case L5 inspection is not required at all.


__ __


Ok, so if we need to load balance some FTP traffic as well on the same VIP, with deterministic source IPs.

How would we modify our config to suit this new requirement or would it already do this?

Also  if our HTTP traffic comes over a customised port say tcp port 8080, do  we need to do anything on the ACE, or it is smart enough to know about  HTTP on a different port?

Thanks for your help so far, its been very helpful!



Hi Rob,

Yup, if you wanted to balance any other L3/L4 protocol you're in good shape now, for example for FTP you can use the same class-map that includes the "source-match" then configure a new first-match policy and the new VIP or same VIP with "eq ftp". (FTP configuration is a little bit tricky though).

"Also  if our HTTP traffic comes over a customised port say tcp port  8080, do  we need to do anything on the ACE, or it is smart enough to  know about  HTTP on a different port?"

Same thing here, as long as you have a VIP that matches incoming traffic with dst port 8080 you shouldn't have any problem because it is still a L4 matching from the ACE perspective.

For example if you want to match standard and secondary HTTP ports under the same class-map assuming both ports are balanced to the same real servers then you would do it like this:

class-map match-any WEB

  2 match virtual-address tcp eq www

  3 match virtual-address tcp eq 8080

So that you can apply the same filtering to both ports under the first-match policy; saving config lines and resources at the same time.


__ __


Actually, I'm trying this implementation again, but we are getting this error, it seems that our policy-map only supports the 'class class-default' keywords for some reason???

DCSACE01/PDMZ-VRF(config)# policy-map type loadbalance first-match WEBPROXY02_CLUSTER_v3


    sticky-serverfarm webproxy02_TESTFARM-sticky

DCSACE01/PDMZ-VRF(config-pmap-lb)#   class WEBPROXY_TESTFARM_B

  class class-default

    sticky-serverfarm webproxy02-stickyError: Specified class-map is not consistent with the policy-map type

DCSACE01/PDMZ-VRF(config-pmap-lb)#     sticky-serverfarm webproxy02_TESTFARM-sticky


% invalid command detected at '^' marker.


DCSACE01/PDMZ-VRF(config)# policy-map type loadbalance first-match WEBPROXY02_CLUSTER_v3

DCSACE01/PDMZ-VRF(config-pmap-lb)# class ?

  class-default  Specify actions for default class-map

DCSACE01/PDMZ-VRF(config-pmap-lb)# class

The version we are running is

Version A2(1.2)

(Yes its a bit old)



Content for Community-Ad
This widget could not be displayed.