cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
549
Views
0
Helpful
1
Replies

Restricting access to VIP (using ACE module)

wim.juste
Level 1
Level 1

Dear all,

I’m trying to find out whether you could restrict access to a single VIP to only 2 different source ip addresses?

Our situation looks like:

ACE module setup in one-armed design, using NAT.

About 200 vips are defined.

I know you could restrict access using a access-list and apply it to the interface.

But I was hoping this restricting could be configured within the particular class-map / policy-map of this single VIP configuration?

Here’s also a snap-shot from our load balancer, showing (only) the single VIP configuration.

(I explicitly did not include all other 199 vip configurations)

Ps: the traffic hitting this vip is NO http traffic, but generic TCP traffic.

In advance, thanks for any feedback.

Truly appreciate it !

access-list 101 extended permit ip any any

rserver host P_ARDS_1

  ip address x.x.32.130

  inservice

rserver host P_ARDS_2

  ip address x.x.32.128

  inservice

rserver host P_ARDS_3

  ip address x.x.10.69

  inservice

rserver host P_ARDS_4

  ip address x.x.10.79

  inservice

serverfarm host P_ARDS_SF_LB

  predictor leastconns

  probe PING

  rserver P_ARDS_1

    inservice

  rserver P_ARDS_2

    inservice

  rserver P_ARDS_3

    inservice

  rserver P_ARDS_4

    inservice

class-map match-all P_ARDS_VS_LB

  2 match virtual-address 10.0.0.1 tcp any

policy-map type loadbalance first-match P_ARDS_P_LB

  class class-default

    sticky-serverfarm P_ARDS_S_LB

policy-map multi-match VIP_vlan485

class P_ARDS_VS_LB

    loadbalance vip inservice

    loadbalance policy P_ARDS_P_LB

    loadbalance vip icmp-reply active

interface vlan 101

  ip address 10.120.18.133 255.255.255.240

  alias 10.120.18.132 255.255.255.240

  peer ip address 10.120.18.134 255.255.255.240

  access-group input 101

  access-group output 101

  service-policy input MNGT_101

  service-policy input NAT_vlan101

  service-policy input VIP_vlan101

  no shutdown

1 Reply 1

rvavale
Cisco Employee
Cisco Employee

Hi Wim,

Lets says you want to restrict access to Client with Source IP 1.1.1.1 then you can configure Class-map to match on Source IP,

class-map type http loadbalance match-all Source-IP

  2 match source-address 1.1.1.1 255.255.255.255

And apply it to Policy map

policy-map type loadbalance first-match P_ARDS_P_LB

  class Source-IP

    sticky-serverfarm P_ARDS_S_LB

With above config, for any request hitting the VIP, it will check if the Source IP matches Class-map 'Source-IP',  if it does then it will be loadbalanced if not then request will fail.

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_2_0/configuration/slb/guide/classlb.html#wp1478259

Hope this helps,

Best Regards,

Rahul

Review Cisco Networking for a $25 gift card