02-28-2011 06:39 AM
Dear all,
I’m trying to find out whether you could restrict access to a single VIP to only 2 different source ip addresses?
Our situation looks like:
ACE module setup in one-armed design, using NAT.
About 200 vips are defined.
I know you could restrict access using a access-list and apply it to the interface.
But I was hoping this restricting could be configured within the particular class-map / policy-map of this single VIP configuration?
Here’s also a snap-shot from our load balancer, showing (only) the single VIP configuration.
(I explicitly did not include all other 199 vip configurations)
Ps: the traffic hitting this vip is NO http traffic, but generic TCP traffic.
In advance, thanks for any feedback.
Truly appreciate it !
access-list 101 extended permit ip any any
rserver host P_ARDS_1
ip address x.x.32.130
inservice
rserver host P_ARDS_2
ip address x.x.32.128
inservice
rserver host P_ARDS_3
ip address x.x.10.69
inservice
rserver host P_ARDS_4
ip address x.x.10.79
inservice
serverfarm host P_ARDS_SF_LB
predictor leastconns
probe PING
rserver P_ARDS_1
inservice
rserver P_ARDS_2
inservice
rserver P_ARDS_3
inservice
rserver P_ARDS_4
inservice
class-map match-all P_ARDS_VS_LB
2 match virtual-address 10.0.0.1 tcp any
policy-map type loadbalance first-match P_ARDS_P_LB
class class-default
sticky-serverfarm P_ARDS_S_LB
policy-map multi-match VIP_vlan485
class P_ARDS_VS_LB
loadbalance vip inservice
loadbalance policy P_ARDS_P_LB
loadbalance vip icmp-reply active
interface vlan 101
ip address 10.120.18.133 255.255.255.240
alias 10.120.18.132 255.255.255.240
peer ip address 10.120.18.134 255.255.255.240
access-group input 101
access-group output 101
service-policy input MNGT_101
service-policy input NAT_vlan101
service-policy input VIP_vlan101
no shutdown
03-02-2011 05:47 PM
Hi Wim,
Lets says you want to restrict access to Client with Source IP 1.1.1.1 then you can configure Class-map to match on Source IP,
class-map type http loadbalance match-all Source-IP
2 match source-address 1.1.1.1 255.255.255.255
And apply it to Policy map
policy-map type loadbalance first-match P_ARDS_P_LB
class Source-IP
sticky-serverfarm P_ARDS_S_LB
With above config, for any request hitting the VIP, it will check if the Source IP matches Class-map 'Source-IP', if it does then it will be loadbalanced if not then request will fail.
Hope this helps,
Best Regards,
Rahul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide