Re-direct based on source ip address

Similar Messages

• Route call based on source IP address

  Hello Guys,
  Is there a way to route calls based on source IP address?
  I want to redirect calls to specific queues based on the ip of the phone who's starting it.
  Any ideas?
  Thanks in advance.
  Filipe Leite                  

  Hi Filipe
  I'm assuming here that you are using CallManager rather than CME?
  One option might be to use the 'device mobility' feature to assign a specific CSS to devices based on their IP subnet. That CSS could have the appropriate partitions to route to a seperate trigger that directs calls to a separate CSQ.
  Of course, whether you can do this depends on whether it would be appropriate to override the device CSS in this way.
  Aaron

• Load balancing based on source IP address

  Hi,
  I configured a CSS to balance the load depending on source IP address to suppport a application feature in the server.
  We have two firewalls and behind we have different users. We have also two servers behind the CSS.
  Firewalls perform NAT with a unique outside IP address. So, for example, in these conditions the CSS balances requests coming from FW 1 to server 1 and requests coming from FW 2 to server 2. Is it correct this scenario?
  Is it possible that requests coming from FW 1 could be forwarded to Server 2 and viceversa?
  Could anyone answer me?
  Thanks in advance.
  Best regards.
  Giuseppe.

  Giuseppe,
  it all depends on how you configured your CSS.
  Did you use an ACL to force traffic from SRC1 to server1 and traffic from SRC2 to server2 ?
  Or did you simply configure sticky based on source ip or a source ip hash loadbalancing ?
  Except the ACL, all other methods do not guarantee that the traffic will be splitted in 2.
  Gilles.

• ACE load balance based on Source IP Address

  Hi Cisco  Support,
  I have question  related to Cisco ACE behavior in term to taking a decision based on source  address
  I currently have two  servers sits behind ACE part of one server farm, these servers are load balanced  via one VIP on ACE module and every things looks fine.
  Now service  owners want to replace these old servers with new hardware hence before the  migration we need to make sure these new servers are working as required standard hence  need to create a testing scenario for new servers along with old server. The problem is that number of third party partners are accessing existing servers by hitting VIP on ace and we  can't engage all our partner to participate in this test therefore decided to  engage only one partner to carry our test with us.
  For that reason can  we some how configure the ACE so when packet arrive on ACE from one test partner  mentioned above, ACE send only that partner's traffic based on it's source address  (define via class/policy map on ACE if possible) towards new servers in the existing server  farm and not to the old server in the same server farm.
  Thanks for your  support

  Hi,
  Just to put some config sample that might help you to get this done.
  First create the new rservers and include them under a new serverfarm (New-APP)/
  serverfarm host Webfarm
    rserver SVR1
      inservice
    rserver SVR2
      inservice
  serverfarm host New-APP
    rserver New-1
      inservice
    rserver New-2
      inservice
  - Same VIP already working.
  class-map match-all VIP-HTTP
    2 match virtual-address 10.10.10.10 tcp eq www
  - Create a new class that will include your partner's IP(s).
  class-map type http loadbalance match-any 3rd-Party
    2 match source-address 200.200.200.1 255.255.255.255 
    3 match source-address 200.200.200.10 255.255.255.255 
  Modify your current first-match policy to put the new class on top so that all the traffic matched by the statement above (IP) will be redirected to the new farm with the new APP, any other traffic that does not match the "rule" will be sent to the old serverfam with the old app.
  policy-map type loadbalance first-match L7-SLB
    class 3rd-Party
      serverfarm New-APP
    class class-default
      serverfarm Webfarm
  Since you already have LB working then this is it, nothing needs to be added under the multi-match policy nor interface.
  HTH
  Pablo

• Redirect based on source IP address????

  I have a site that I don't want our competitors to view! By
  tracking code, I have managed to obtain their source IP addresses.
  After looking around, there is a .php solution to my problem
  but my host is not well suited to .php files (although it does some
  processing).
  My pages are in .shtml (to process css drop-down menus
  correctly) and I understand that this attached code, if put at the
  top of the page before anything else, will work.
  I have managed to get one working
  http://www.donbur.co.uk/gb/newindex.php
  but am having difficulty getting this code to work elsewhere.
  The problem is, when I try to put this code into either a
  template or as an include, it won't process correctly or the page
  won't render at all.
  Do I have to use .php files or can I insert php script into
  an .shtml document.
  Getting really confused now.... HELP

  Thanks for the constructive advice...
  quote:
  >After looking around, there is a .php solution to my
  problem but my host is not well
  >suited to .php files (although it does some processing).
  What does this mean? Does your hosting plan include php
  support or not?
  You can't just put a php script into any page. It needs to be
  a .php page or you need to reconfigure the server to parse other
  pages for php. But if your hosting plan doesn't support php then it
  won't work in any case.
  My host is BT Internet and they claim not to process .php
  files which is why our main .php site is hosted elsewhere; however,
  it seems that, although it has difficulty (to clarify: doesn't
  render) with main full scripts, it does seem to process simple
  <?php echo commands for example.
  It has been suggested on another forum that the .shtml files
  are set to be recognised by .php in the cpanel but our host will
  not do this...
  Our competitors are not particularly smart or up-to-date and
  this would have been reasonably effective; however, I bow to better
  judgement and close this topic.

• VRF selector using PBR or Source IP address

  Could anyone can tell which is the better choice of VRF selector using PBR or Source IP address? From Cisco doc, VRF selection based on Source take advance over PBR. My feeling is that PBR may match more criterias than just match source IP address.
  Thanks

  I would personally use the "VRF selection based on source IP address" only where the "VRF selection using PBR" is not available since the latter is a superset of the former.
  Hope this helps,

• Redirecting traffic based on source address on CSS11503

  Hi all,
  I need to redirect HTTP traffic originating from a specific range of IPs to a specific farm of HTTP servers. More specifically, I need request comming to CSS's outside VIP address on port 80/tcp to be redirected to the HTTP farm (2 boxes with RFC1918 addresses) on port 30084/tcp.
  The trick is that this rule should only apply for a certain range of source IP addresses. The rest should be content switched normally. I.e. 80/tcp -> 80/tcp, etc.
  Is this possible with ACL or somthing similar?
  I'm running WebNS 7.20 on a CSS11503.
  Thanks,
  haver

  you could create a 2nd VIP like x.x.x.x:81 and
  a service like
  service redirect
  domain x.x.x.x:81
  type redirect
  keepalive type none
  Under the Vip x.x.x.x:81, you configure the 2 services with private ip addresses and port 30084.
  Then you create an ACL
  acl 10
  clause 10 permit tcp destination content prefer redirect
  clause 99 permit any any destination any
  apply circuit-VLAN...
  Don't forget you will need an ACL permit any any on all other interfaces to avoid blocking the rest of the traffic.
  What this will do is tell the browser to close the current connection to vip:80 and reopen a new one to vip:81 and this will be loadbalanced to the private servers.
  Gilles.

• Providing Access based on Client IP Address

  Current Scenario  -
  SAP Portal is accessible directly and via Citrix (VPN).
  Based on the URL alias - we have implemented Desktop Filtering.
  eg if the URL ends with / internet - You get restricted roles
  eg if the URL ends with / intranet - You get wider roles
  In Production, we also have Netscaler Reverse Proxy and HTTPs settings in place for External (outside firewall) access.
  New Requirement (Example) -
  Based on the IP address of the client, determine which subnet it falls under and based on that -
  If used within Citrix - Provide certain roles
  If not used within Citrix - Restricted access / Redirect to a different URL on the redirect server.
  Questions -
  With the current desktop filtering in place based on URL determination and no specific restriction for inside/outside Citrix access -
  1 - Please suggest which would be a good way to crack this? Inside Portal (IP address determination and SAP Logon modification) / Outside Portal (eg Citrix, Network OS Exit, Reverse Proxy etc) based on Best Practise ?
  2 - Not sure if this is relevant : Find IP address of Client with webdybpro (This API works only in Web Dynpro and not PDK) ? I believe tweaking SAP Logon logic can get very painful  and overtly complicated for such scenarios.
  Thanks for your inputs ~ Dhanz

  Vivek,
  On the coding front -
  1 - Will reading the IP address  in the header field x-forwarded-for retrieve right results if reverse proxy is in place ? Wouldnt it retrieve the proxy / load balancer IP instead of Client IP ?
  2 - Also we have HTTPS settings for extranet access - So encrypted data (eg Client IP ) is transferred that the Web Dispatcher cannot manipulate ?
  Please suggest.
  Remember to be polite
  Edited by: Anja Engelhardt on Jan 27, 2012 11:27 AM

• Bandwidth Limit based on Source IP?

  Hi
  I am trying to think of a way to apply a bandwidth limit based upon Source IP subnet.
  I need to have the ability to limit both the outbound and inbound traffic.
  So I created the following config:
  policy-map bw-limit-inbound
   class bw-limit-class
    police 10000
  class-map match-any bw-limit-class
   match access-group 150
  access-list 150 permit ip 172.16.99.0 0.0.0.255 any
  If I apply the Service Policy inbound, it does police the upload to 100Kbps.
  If I apply it outbound, it does nothing to the download.
  Any reason for this?
  I am applying this to an SVI
  Thanks

  Hi Guys
  Just to update this thread, I figured out where I was going wrong!
  As mentioned by Mikael, the ACL only shows traffic one way, hence why it was not applying the service policy to the download.
  I have three subnets I want to Police both outbound and inbound so I started with Three ACLs:
  access-list 197 permit ip 172.16.97.0 0.0.0.255 any
  access-list 197 permit ip any 172.16.97.0 0.0.0.255
  access-list 198 permit ip 172.16.98.0 0.0.0.255 any
  access-list 198 permit ip any 172.16.98.0 0.0.0.255
  access-list 199 permit ip 172.16.99.0 0.0.0.255 any
  access-list 199 permit ip any 172.16.99.0 0.0.0.255
  I then created the relevant class maps:
  class-map match-all vlan998-download
   match access-group 198
  class-map match-all vlan999-download
   match access-group 199
  class-map match-all vlan997-download
   match access-group 197
  class-map match-all vlan998-upload
   match access-group 198
  class-map match-all vlan999-upload
   match access-group 199
  class-map match-all vlan997-upload
   match access-group 197
  Then the service policies:
  policy-map download-limit
   class vlan997-download
    police 2000000
   class vlan998-download
    police 3000000
   class vlan999-download
    police 4000000
  policy-map upload-limit
   class vlan997-upload
    police 200000
   class vlan998-upload
    police 300000
   class vlan999-upload
    police 400000
  Then finally applied those to the relevant SVI:
  interface Vlan102
   ip vrf forwarding WAN2
   ip address 10.20.2.2 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   service-policy output download-limit
   service-policy input upload-limit

• HTTP Redirect based upon SRC IP Address

  Is there a way to perform an http redirect based upon user's source IP address on the CSM/GSS environment?
  Logic:
  IF < src ip address is within exception list > THEN
  http redirect to URL2
  ELSE
  http to URL1
  END

  Is there a version of this solution (redirect by client source IP) for the CSS?
  I'm attempting to redirect clients from a few specific networks (source IP's) to the VIP of a second CSS using a service-type redirect and "prefer " ACL commands:
  clause 10 permit any 1.1.1.0 255.255.252.0 destination content owner/content-rule prefer service-type-redirect
  There is an "any any destination any" last clause in the ACL for the remaining source IPs. The ACL is applied to the incoming circuits leading to the webservers.
  A show of the ACL's shows all responses - no matter the client source IP - being caught by the permit any clause at the end of the ACL.
  Extra points: this is a one-arm design with source group destination applied (to return server traffic to the CSS) and traffic is https with SSL terminating at the servers (no SSL module). Content rules are set to be sticky for srcip. Both CSSs are answering content-based DNS queries for the same URL with their local VIP address (but controlling which DNS server clients query isn't readily possible, so static proximity using DNS didn't provide the answer).
  Each CSS is in a different data center: the idea is to keep traffic local by redirecting non-local traffic to its "local" (the other) CSS if services are active (and to keep traffic on the first CSS if the services at the redirected-to CSS are down).
  Don't want too much, do I? ;-)
  Thanks for everyone's time -
  -K.

• IIS Logs display CSS11501 IP address instead of external source IP address.

  (FW)---(CSS11501)---(SERVERS)
  Basic configuration, everything on VLAN1. Servers in web farm are logging attacks, etc. Source IP address all show the CSS instead of the originating IP address coming from the outside.
  What do I need to add/change to allow servers to see the actual IPs from the outside?

  Yes, inline configuration. FW connects to L2 switch crossed over to CSS, Servers are connected to CSS ports directly. However the servers Default Gateway is the FW not the CSS, that is what I believe I need to change in order for it to work, is that correct, or is there something else?
  Example:
  circuit VLAN1
  ip address x.x.x.x x.x.x.x
  owner xyz
  address "xyz"
  content rule.100.https
  protocol tcp
  port 443
  url "/*"
  add service serv.1.https weight 1
  add service serv.2.https weight 2
  add service serv.3.https weight 3
  vip address x.x.x.100
  application ssl
  advanced-balance ssl
  sticky-mask 255.255.255.0
  sticky-inact-timeout 15
  dnsbalance roundrobin
  balance srcip
  active
  group source.100
  vip address x.x.x.100
  add destination service serv.1.https
  add destination service serv.2.https
  add destination service serv.3.https
  active

• Jdbc connection set source ip address

  Hi
  Is there any way to specify the local (source) ip address of a jdbc connection ?
  I work in an enterprise environment with firewalls all over, and only certain ip addresses can connected to other ip addresses.
  The server which runs my application has many ip addresses and
  I'd like to be sure that my ip address is the source...
  Thanks
  Gabor Dolla
  Budapest, Hungary

  No, certainly not in the JDBC API. I don't believe there's even a way to do this in the java.net Socket API. There's the very slimmest of slim chances that a particular driver might implement something like this, in which case it would be in the driver's documentation. However, the chances are so slim that I'd bet strongly against any driver doing this.
  The source address is usually picked by the operating system, based on the routability to the target IP address. Basically, the OS network services looks at the target IP and says to itself, "which (logical) interface can get there? That's the source IP I will use". If your host's routing says there are multiple routes to the IP, then it will pick one; if there's only one route to the particular IP, there will be only one interface (and therefore source IP) that can be chosen.
  There's no reason Java or a driver couldn't be extended to do this, but no particular demand either; the problem is usually dealt with at the network layer.

• Tracing TCP Source/Destination Addresses/Ports for ongoing connections

  On Solaris 10 U4 through U7, I'm trying the following just to perform basic tracking of TCP source/destination addresses and ports, using code similar to what is available in tcpsnoop_snv and tcptop_snv.
  The odd thing is that the addresses/ports appear to be zeroed out - are they being cached outside of the conn_t data structure?
  #!/usr/sbin/dtrace -Cs
  #pragma D option switchrate=10hz
  #pragma D option bufsize=512k
  #pragma D option aggsize=512k
  #include <sys/file.h>
  #include <inet/common.h>
  #include <sys/byteorder.h>
  #include <sys/socket.h>
  #include <sys/socketvar.h>
  /* First pass, for all TCP Read/Write actions, collect source/destination
     IP + Port - after a few secs, print them all out */
  fbt:ip:tcp_send_data:entry
    /* Outgoing TCP */
    self->connp = (conn_t *)args[0]->tcp_connp;
  fbt:ip:tcp_rput_data:entry
    /* Incoming TCP */
    self->connp = (conn_t *)arg0;
  fbt:ip:tcp_send_data:entry,
  fbt:ip:tcp_rput_data:entry
  /self->connp/
    /* fetch ports */
  #if defined(_BIG_ENDIAN)
    self->lport = self->connp->u_port.tcpu_ports.tcpu_lport;
    self->fport = self->connp->u_port.tcpu_ports.tcpu_fport;
  #else
    self->lport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_lport);
    self->fport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_fport);
  #endif
    /* fetch IPv4 addresses */
    this->fad12 =
      (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[12];
    this->fad13 =
      (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[13];
    this->fad14 =
      (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[14];
    this->fad15 =
      (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[15];
    this->lad12 =
      (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[12];
    this->lad13 =
      (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[13];
    this->lad14 =
      (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[14];
    this->lad15 =
      (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[15];
  /* At this point, this->{f|l}ad1{2345}->connua_v6addr.connua_{f|l}addr._S6_un.S6_u8
      are empty - where is this data? */
  }

  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/command/reference/CmdGrpC.html#wp1139667
  portmap [base-port base_number|disable|enable|number-of-ports number|vip-address-range number]
  disable
  Instructs the CSS to perform Network Address Translation (NAT) only on the source IP addresses and not on the source ports of UDP traffic hitting a particular source group. This option does not affect TCP flows.
  For applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups. Destination services cause the CSS to NAT the client source ports, but not the destination ports.
  Note If you disable flows for a UDP port using the flow-state table and configure the portmap disable command in a source group, traffic for that port that matches on the source group does not successfully traverse the CSS.
  The CSS maintains but ignores any base-port or number-of ports (see the options above) values configured in the source group. If you later reenable port mapping for that source group, any configured base-port or number-of ports values will take effect. The default behavior for a configured source group is to NAT both the source IP address and the source port for port numbers greater than 1023.
  There is no possibility to disable it for TCP.
  We need to source nat the port to guarantee that the server response comes back on the same module/CPU and the internal packet allocation algorithm is based on src and dst ports.µ
  Gilles:

• CSS Source IP address Missing

  Server A, Server B, Server C are connected directly to CSS (Network Address 192.168.XX.XX). clients access the servers through Internet and get connected as well as load balanced. But our servers are unable to track the source IP address of the clients logging through Internet. Is there any configuration where servers can track the source IP address.

  Hi,
  The CSS would be doing source NATing if you have a group configured with "add destination service".
  This is needed to prevent asymmetric flows, but if the servers are directly connected to the CSS, there would be no asymmetric flows, hence you can get rid of the group and the CSS will start sending traffic to the server with original client's IP.
  Configure the CSS as the default gateway of your servers to make sure they wont bypass the CSS on the way back.
  Hope it helps!!
  Diego M.

• How do I stop Firefox from redirecting me to another site based on my IPS address?

  I work in California. Our corporate offices are in Oklahoma and my desktop computer is set up with an IPS address in OK. When I try to go to the CA website for AAA, Firefox redirects me to the OK website for AAA. How do I stop from being redirected to OK sites when trying to open CA sites?

  hello eajames, sites can show you content and redirect you based on your IP address which will reveal your approximate location - there is not much a browser can do against this...
  http://www.yougetsignal.com/tools/network-location/