Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2391
Views
0
Helpful
6
Replies

Restrict Access to VIP

Go to solution
kris-andrews
Level 1
Level 1

‎11-08-2010 03:56 AM

Hi All,

I am trying to restrict a certain number of source addresses accessing a VIP.

For example i want to permit access to a VIP address (i.e 172.120.1.132), only to specific source networks (192.168.1.0/24 and 192.168.2.0/24) and deny anything else trying to hit the vip.

I have tried to add an access-list containing the permited source subnets to a class-map and then i tried adding the class-map to the load-balancing policy but i recieve the following error:

Error: Specified class-map is not consistent with the policy-map type

Does anyone know of a specific method i can use in order to achieve this?

Thankyou

Kris

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee
In response to kris-andrews

‎11-09-2010 02:10 AM

Hi Kris,

This configuration will also work, but, it's not something I would recommend you if you are also planning to use regular expressions to match HTTP strings.

When both are used at the same time, the internal memory usage will grow exponentially for each regular expression and each match source statement, so, you may end up in a situation in which your configuration cannot grow any more due to memory constraints.

Regards

Daniel

View solution in original post

0 Helpful

Go to solution
Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee
In response to kris-andrews

‎11-09-2010 05:44 AM

Hi Kris,

The match statements on their own are not an issue, because the ACE can handle up to either 4K or 16K entries depending on the version. The problem comes when it's used along with regular expressions, because in that case, the total usage internally will be approximately be the number of match statements multiplied by the number of regular expression entries, so you could easily hit the the 16K limit.

As far as the rest of the resources are concerned, it should not have any impact on CPU, memory usage or similar.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎11-08-2010 06:18 AM

Hi Kris,

Have you tried using an access-list configured on the vlan interface itself? It should work also

Daniel

0 Helpful

Go to solution
kris-andrews
Level 1
Level 1
In response to Daniel Arrondo Ostiz

‎11-08-2010 06:23 AM

Hi Daniel,

I could apply the access-list to the interface itself, however i want to keep this access-control specific to the VIP.

I did see on a forum that it may be possible to use a layer 7 class-map to match the source, but i'm not sure of the configuration to support this.

Kris

0 Helpful

Go to solution
kris-andrews
Level 1
Level 1
In response to kris-andrews

‎11-08-2010 07:30 AM

Hi Daniel,

I have generated a test config to specify the client source ip in order to load balance the traffic, would this suffice?

rserver host myserver
  description testserver
  ip address 10.10.254.1

serverfarm host myserverfarm
  rserver myserver
    inservice

class-map type http loadbalance match-any MATCH-SOURCE-IP
  2 match source-address 192.168.1.0 255.255.255.0
  3 match source-address 192.168.2.0 255.255.255.0
class-map match-all VIP-ADDRESS
  2 match virtual-address 172.120.1.132 tcp eq www

policy-map type loadbalance first-match SLB-POLICY
  class MATCH-SOURCE-IP
    serverfarm myserverfarm
policy-map multi-match SLB-POLICY-MM
  class VIP-ADDRESS
    loadbalance policy SLB-POLICY

0 Helpful

Go to solution
Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee
In response to kris-andrews

‎11-09-2010 02:10 AM

Hi Kris,

This configuration will also work, but, it's not something I would recommend you if you are also planning to use regular expressions to match HTTP strings.

When both are used at the same time, the internal memory usage will grow exponentially for each regular expression and each match source statement, so, you may end up in a situation in which your configuration cannot grow any more due to memory constraints.

Regards

Daniel

0 Helpful

Go to solution
kris-andrews
Level 1
Level 1
In response to Daniel Arrondo Ostiz

‎11-09-2010 02:50 AM

Hi Daniel,

Thankyou for your feed back, very useful info.

So the only thing that i want to achieve is loadbalancing to based on specific source networks, no URL matching will be used in this scenario, traffic will be classified simply on the VIP and port.

However, by using this configuration will this in itself generate significant load on the ACE without using regular expressions to match strings? In your opinion would you consider this bad practice for what i am trying to achieve?

Kris

0 Helpful

Go to solution
Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee
In response to kris-andrews

‎11-09-2010 05:44 AM

Hi Kris,

The match statements on their own are not an issue, because the ACE can handle up to either 4K or 16K entries depending on the version. The problem comes when it's used along with regular expressions, because in that case, the total usage internally will be approximately be the number of match statements multiplied by the number of regular expression entries, so you could easily hit the the 16K limit.

As far as the rest of the resources are concerned, it should not have any impact on CPU, memory usage or similar.

0 Helpful
Customers Also Viewed These Support Documents