Source ip filtering with class map on cisco ace30
Hello ,
I would like to know if it is possible to filter source ips connecting to a virtual ip within a class map configuration ( or something else ) ?
access-list S_IP_FILTERING line 8 extended permit ip host 1.1.1.1 any
class-map match-all S_IP_FILTERING_XVIP
2 match access-list S_IP_FILTERING
3 match virtual-address 2.2.2.2 any
Error: Only one match access-list is allowed in a match-all class-map and it cannot mix with any other match type
thanks for your support
Case,
Hi,
Yes, it is possible to do this. Use the ACL filter for the source IP address under the policy-map type loadbalance. Then you would call that load balance policy in your multi-match policy under the appropriate class.
for example:
class-map type http loadbalance match-any LOADBALANCE-FILTER
2 match source-address X.X.X.X 255.255.255.255
class-map match-any TEST-CLASSMAP
2 match virtual-address Y.Y.Y.Y tcp eq www
policy-map type loadbalance first-match LOADBALANCE
class LOADBALANCE-FILTER
serverfarm TEST-SERVERFARM
policy-map multi-match UTC-PM
class TEST-CLASSMAP
loadbalance policy LOADBALANCE
loadbalance vip inservice
-Alex
Similar Messages
-
Help with Class-map configuration - ZBFW
Hello,
I need some clarification regarding the class-map configuration in a ZBFW. I need to allow https,http,ftp & rdp traffic from Internet to few of the servers inside our LAN. So I put the below configuration to accomplish the task (example shows class-map for only https protocol) :
a.)
class-map type inspect match-all HTTPS-ACCESS
match protocol https
match access-group name HTTPS-SERVER-ACCESS
ip access-list extended HTTPS-SERVER-ACCESS
permit tcp any host 172.17.0.55 eq 443
permit tcp any host 172.17.0.56 eq 443
permit tcp any host 172.17.0.36 eq 443
permit tcp any host 172.17.0.45 eq 443
permit tcp any host 172.17.0.60 eq 443
Where 55,56,36,45,60 are the servers inside the LAN (12 more servers are there) that need to be accessed via https,http,ftp & rdp from Internet.
Is it a correct approach? or do I need to change my configuation so that I have to match ACL with my class-map like below:
b.)
ip access-list extended OUTSIDE-TO-INSIDE-ACL
permit tcp any host 172.17.0.55 eq 443
permit tcp any host 172.17.0.55 eq www
permit tcp any host 172.17.0.55 eq 21
permit tcp any host 172.17.0.55 eq 3389
permit tcp any host 172.17.0.56 eq 443
permit tcp any host 172.17.0.56 eq www
permit tcp any host 172.17.0.56 eq 21
permit tcp any host 172.17.0.56 eq 3389
permit tcp any host 172.17.0.36 eq 443
permit tcp any host 172.17.0.36 eq www
permit tcp any host 172.17.0.36 eq 21
permit tcp any host 172.17.0.36 eq 3389
permit tcp any host 172.17.0.45 eq 443
permit tcp any host 172.17.0.45 eq www
permit tcp any host 172.17.0.45 eq 21
permit tcp any host 172.17.0.45 eq 3389
class-map type inspect match-all OUT-IN-CLASS
match access-group name OUTSIDE-TO-INSIDE-ACL
Which one is the correct approach when we consider the performance of the firewall ? Please help me.
Regards,
YadhuHey
I do not agree with Varun, I think the first approach is the best one.
Why? Because when you issue the "match protocol ..." you are usig NBAR wich is an application inspection software, which means that https or whatever protocol is inspected at layer 7, not layer 3 and 4 which the seconds approach does (IP and port-number).
Lets say you use the second approach and an attacker uses some malicious protocol that runs over port 443 or whatever (a port that you opened). That attack would be successfull because all you say, you are going to IP-address 172.17.0.56 over port 443 so go ahead.
But if you are using NBAR, this would not work because NBAR will look at layer 7, inside the protocol itself and look if this really is HTTPS (or whatever protocol).
That's my two cents. Hope it helped! -
Determine Target directory from Source file names with out mapping
Hi All,
I have a requirement to determine the Target Directories from the Source file names.
File Sender Adapter - XI - File Receiver Adapter
In this scenario I am not doing any mapping. Source File directory contain 3 files. These file should go to 3 directories in the Target Server.
Please help me how can meet this requirement
Thanks in advance
KevinHi Kevin,
if you can separate the files by name. have 3 sender communication channels each picking up one of the files (you do this by making the regex in the file name mutually exclusive) and then send them all to the target system using the same comm. channel.
regards,
Horia -
Trying to understand the class-default for marking
I have the concept of Identify traffic with ACLs
Classify traffic for marking with class-maps
Mark traffic with policy-maps
the policy-map will always have a default-class for unaccounted traffic in the policy-maps
what I don't quite understand is that the there is not a class-map class-default
when servicing the "policy" the class-maps are referenced with "class A" "class B" "class class-default"
when looking for the matches on class class-default there is no reference class-map to go to....
I figured I have to accept this logic means if traffic was not specifically matched by the collection of class-maps in the config the IOS can assume the traffic would have been/is class-default.
i had put a config together to classify certain traffic as CS0, like SNMP... i wanted to force traffic there as well as having all unaccounted traffic being classified CS0.
but from what i read if i don't have snmp matched in any class-map in the config then this traffic would find itself in
policy-map XXX
class class-default
set ip precedence 0
even though class-default does not exist as class-map class-defaultHi,
You want to mark some traffic as CS0? and then count that traffic? but you won't know which traffic had CS0 imposed or was natively IPP 0 like all data traffic not specifically marked.
the class class-default exists just do a show class-map and you'll see it, it is the IOS which creates it.
Doing a show policy-map interface will show you which class-map was matched. -
I have an application that is getting blocked by the Trend Micro CSC under the http class map. I need it to ignore http traffic from a 172.16.1.0/24, and allow all else. I haven't worked with class maps much, but my thinking is an ACL with the IP subnet, and a match statement under the class map, but where I have the question is, will the ACL be
permit ip 172.16.1.0 255.255.255.0 any
deny ip any any
or the other way around?
deny ip 172.16.1.0 255.255.255.0 any
permit ip any anythats right
but upong the ACL u have writen above u will ignore web traffic from 172.16.1.0/24 to 192.168.0.0
and will match any other web traffic
but nothing else
i mean no smtp,pop3 or ftp
if u want to match any thing else after the deny or ignore statement
u have to make permit ip any any
after u match it with class-map
apply it to a policy map
like polic-map global_policy (which is the default global policy)
class-map (ur calss-map name)
csc fail-open
then
service-policy global_policy global
in this case it will be applied to all interfaces
good luck
Rate if helpful -
ACE ignoring class map depending on source???
I have a problem with a the load balancing "not working" properly depending on the source.
The load balancing decision is done with a secondary cookie (?ld=fe1 or ?ld=fe2). If it appears and the value is fe1 the request should go to serverfarm FE1-app. If the value is fe2 then serverfarm FE2-app should be choosen. If it is not present in the http request then serverfarm FE-app in the class-default is taking over.
This approach works if "surfing" to the VIP from a certain part of the internal network. It does not work from another part of the network. It seems that cookie is ignored and only the class default triggers.
The strange thing is that the same approach works for another setup that looks identical (with different rservers and different VIP of course). There the class map for the cookie triggers always.
My question is now: Why does the ACE seem to ignore the class map for the cookie when coming from a certain part of the network? How can I debug/follow a certain connection or load balancing decision?
Here is the config:
rserver host FE1-app
description frontend app
ip address 192.168.137.69
inservice
rserver host FE2-app
description frontend app
ip address 192.168.137.74
inservice
serverfarm host FE1-app
rserver FE1-app 80
inservice
serverfarm host FE2-app
rserver FE2-app 80
inservice
serverfarm host FE-app
rserver FE1-app 80
inservice
rserver FE2-app 80
inservice
class-map type http loadbalance match-all COOKIE-FE1
2 match http cookie secondary ld cookie-value "fe1"
class-map type http loadbalance match-all COOKIE-FE2
2 match http cookie secondary ld cookie-value "fe2"
class-map match-all VIP-app
2 match virtual-address 192.168.138.39 tcp eq www
policy-map type loadbalance first-match VIP-app-loadbalance
class COOKIE-FE1
serverfarm FE1-app
class COOKIE-FE2
serverfarm FE2-app
class class-default
serverfarm FE-app
policy-map multi-match INT470
class VIP-app
loadbalance vip inservice
loadbalance policy VIP-app-loadbalance
loadbalance vip icmp-reply
interface vlan 470
description lb_rpfedrift
ip address 192.168.138.36 255.255.255.240
alias 192.168.138.35 255.255.255.240
peer ip address 192.168.138.37 255.255.255.240
service-policy input remote_mgmt_allow_policy
service-policy input INT470
no shutdownHi Federico,
The source of the request has no relation with the way ACE handles the connections, so, there are probably other differences in the traffic.
The best way to troubleshoot these kind of connections is taking a traffic capture on the TenGigabit interface connecting the ACE with the switch backplane. Once you have it, you can try to look for differences between the working and failing connections.
From what you describe, I wouldn't be surprised if the issue comes from the fact that there are several HTTP requests inside the same TCP flow (in which case, by default, the ACE will look only at the first one), so I would suggest you to enable "persistence rebalance" for this VIP. For more details, check the link below:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1062907
I hope this helps
Daniel -
Layer 7 class-map with different match types
Hello,
I am fighting with a problem on an ACE-4710 version A3(2.4) configuation. I just want to configure a layer 7 class-map that matches if one of two conditions is true. The problem is that these conditions are not from the same type and the ACE refuses the second match statement. However, in the configuration guide, it is clearly defined that it should be possible :
Here is what the configuration guides says :
host1/Admin(config)# class-map type http loadbalance match-any CLASS3
host1/Admin(config-cmap-http-lb)# 100 match http url .*.gif
host1/Admin(config-cmap-http-lb)# 200 match http header Host header-value XYZ
host1/Admin(config-cmap-http-lb)# exit
If I test exactly the same configuration in a context of my ACE, I receive an error message :
CH01AC03/P-104-A(config)# class-map type http loadbalance match-any CLASS3
CH01AC03/P-104-A(config-cmap-http-lb)# 100 match http url .*.gif
CH01AC03/P-104-A(config-cmap-http-lb)# 200 match http header Host header-value XYZ
Error: Match-any classmap can not have different type of match
If I use nested class-maps, I receive the same error message !
Is it a known problem or is it a solution for it ?
Thank you for any help
YvesHello Yves,
The command error is correct. I'll take a look at the docs and see about getting them corrected, if necessary.
Basically, for a match-all, you would have to use different types. For example, there will only be one Host header, so you would only specify it once using regex or a fixed string. As you found out, the match-any requires that they all be of the same type. See my example below:
class-map type http loadbalance match-all HEADER-AND-URL
100 match http url /login.*
200 match http header Host header-value "XYZ"
class-map type http loadbalance match-any URLS
100 match http url .*\.gif
200 match http url .*\.jpg
class-map type http loadbalance match-any HEADER
200 match http header Host header-value "CISCO"
policy-map type loadbalance first-match SLB_LOGIC
class HEADER-AND-URL
serverfarm LOGIN-FARM
class URLS
serverfarm IMAGES-FARM
class HEADER
serverfarm CISCO-FARM
class class-default
serverfarm WWW-FARM
So let's say you want to match requests for URLs ending in .jpg or for requests with Host header XYZ, and if it matches either one, then send to the same serverfarm.
class-map type http loadbalance match-any URL-JPG
2 match http url .*\.jpg
class-map type http loadbalance match-any HOST-XYZ
2 match http header Host header-value "XYZ"
policy-map type loadbalance first-match SLB_LOGIC
class URL-JPG
serverfarm SERVER-FARM
class HOST-XYZ
serverfarm SERVER-FARM
If you wanted to send these requests to the farm only if they matched BOTH matches, then you could do it as follows:
class-map type http loadbalance match-all HEADER-AND-URL
100 match http url /login.*
200 match http header Host header-value "XYZ"
policy-map type loadbalance first-match SLB_LOGIC
class HEADER-AND-URL
serverfarm LOGIN-FARM
Hope this helps,
Sean -
Cisco ACE loadbalancing matching more than one header in L7 class map
Dear All,
This is regarding Cisco ACE loadbalancing matching more than one header in L7 class map. I have a small setup with ACE 30 module in Cisco6500. I have got three webservers. Presently I have following configuration where I am mathing one url header.
class-map type http loadbalance match-all L7_WEB_HEADER_MATCH
description MATCH THE HOST HEADER OF HTTP REQUEST
2 match http header Host header-value ".*abhisar.com*"
So for above configuration, when traffic is coming for abhisar.com, it is working fine.
Now, I have following headers and DNS entry is pointing to same virtual IP for all http url header same as abhisar.com
abhisarindia.com
indiaabhi.com
So new configuration will be
class-map type http loadbalance match-any L7_WEB_HEADER_MATCH
description MATCH THE HOST HEADER OF HTTP REQUEST
2 match http header Host header-value ".*abhisar.com*"
4 match http header Host header-value ".*abhisarindia.com*"
6 match http header Host header-value ".*indiaabhi.com*"
So just want to confirm if this is fine.
Thank You,
Abhisar.Dear Rajesh,
Thank you for reply. I will let you know once I carry out this activity.
Thank You,
Abhisar. -
Issue in mapping.. Source message expect with prefix ns0 in input message!
Issue in mapping.. Source message expect with prefix ns0 in input message
Hi All,
I used the XSD structure which I got from partner which starts like below.
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://xxxx.com/DirectSales/CustomerData" xmlns:prodata="urn:schemas-progress-com:xml-prodata:0001" xmlns="">
<xsd:element name="CustomerRequest" prodata:proDataSet="true">
I'm receiving the messages through SOAP adapter and the message looks like below.
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?><!-- Technical Routing --> <CustomerRequest xmlns='http://XXXX.com/DirectSales/CustomerData' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:SE='http://schemas.xmlsoap.org/soap/encoding/'>
The message is failing during mapping. When i checked in message mapping, I found that the input source message is expecting with prefix "ns0" like <ns0:CustomerRequest...
how I can solve this issue? Is there anyway I can add the prefix "ns0" before it comes to mapping step.?
Thanks
DeepthiHi Guys,
I tried to use the below paramter.
anonymizer.acceptNamespaces 'http://XXXX.com/DirectSales/CustomerData ns0
The ns0 is coming in all the tags including segments and fields. I just want ns0 to come only at the root level ie <ns0:customerReq..>
it is coming like below...
- <ns0:CustomerRequest xmlns:ns0="http://XXXXXX.com/DirectSales/CustomerData">
- <ns0:ttCustomer>
<ns0:branch-num>1424</ns0:branch-num>
<ns0:cust-num>121</ns0:cust-num>
<ns0:contact-code>3</ns0:contact-code>
</ns0:ttCustomer>
</ns0:CustomerRequest>
I want the message to come as
- <ns0:CustomerRequest xmlns:ns0="http://XXXXXX.com/DirectSales/CustomerData">
- <ttCustomer>
<branch-num>1424</branch-num>
<cust-num>121</cust-num>
<contact-code>3</contact-code>
</ttCustomer>
</CustomerRequest>
Kindly help me with the paramater value to be passed for anonymizer.acceptNamespaces.
Thanks
Deepthi -
A problem with ACL in the class-map on the ACE module
Hi all,
I configured the following on the ACE module:
object-group network test
host 192.168.1.21
host 192.168.1.22
host 192.168.1.23
object-group service port
tcp eq www
tcp eq 8080
access-list T line 8 extended permit object-group port object-group test any
I tried to configure a class-map for matching this ACL:
ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
Error: Cannot associate acl having object-group ACEs in class-map.
So couldn't I configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
Thank you
RomanHi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel -
Specifying table with jdbc-class-map-name
Greetings
How do I specify the name of the table to map to when using the jdbc-
class-map-name hint?
In my jdo file, I have specified:
<class name="Customer" objectid-class="CustomerId">
<extension vendor-name="kodo" key="jdbc-class-map-name" value="base">
<extension vendor-name="kodo" key="table" value="PERSONS"/>
</extension>
but when mappingtool generates the mapping file, the "table" hint
is ignored, and I end up with the following in the .mapping file:
<class name="Customer">
<jdbc-class-map type="base" table="FRED.CUSTOMER"/>
What I really want to see in the above jdbc-class-map is:
table="FRED.PERSONS"
I am using the property setting: kodo.jdbc.Schemas: FRED
Note that mapping fields to columns using jdbc-field-map-name
seems to work fine...
Any clues? Thanks.
droo.You can't specify table or column names via mapping tool hints. The
typical way to change the default names is either to override the
getValidTableName/getValidColumnName methods in a custom DBDictionary
for systematic changes, or to follow the process outlined in example 7.6
on this page:
http://www.solarmetric.com/Software/Documentation/latest/docs/ref_guide_mapping.html#ref_guide_mapping_mappingtool_examples -
This is what I want to achieve USING the ACE as a reverse proxy.
User uses the url https://abc/password - gets to the destination server & the web page
If user tries to use any thing additional then the connection is dropped at the ACE such as
https://abc/password/test or any such variation.
Following is the config I have to achieve this
class-map type http loadbalance match-any L7-CLASS-TEST
match http url /password
match http url /password/
class-map type http loadbalance match-any L7-CLASS-TEST-deny
2 match http url .*.*
policy-map type loadbalance first-match LBP-TEST
class L7-CLASS-TEST
serverfarm FARM-TEST
ssl-proxy client TEST
class L7-CLASS-TEST-deny
drop
class class-default
serverfarm FARM-TEST
ssl-proxy client TEST
The problem with this is when the page opens I get broken links on all the images. If I use the following line
match http url /password.*
I get the images to work but the user can use the https://abc/password/test which is not what I want.
Has any one faced this issue ?
Any help will be appreciated.
Thanks in advance
PrasannaPrasanna,
What about if you try it in HTTP and apply the following change?
class-map type http loadbalance match-any L7-CLASS-TEST-deny
2 match http url /.*
This should work in HTTP but not with HTTPS
Anyway, it should not work since everything seems to be encrypted, you may require either SSL-termination or END-TO-END SSL for this then the ACE can decrypt the request see what it needs to do and take the load balance decision.
Jorge -
In the following class-map:
"class-map match-any voice
match access-group 190"
If the ACL 190 has more than one line with "permit" statements.
In order for the policy-map using the above class-map to find a match and use the rules applied for the above class-map, does the traffic need to meet all the criteria in the ACL or does it work like a regular ACL, where it "walks" down and it stops execution at the first permit/deny "hit"?
Regards,
Christosthe explicit " match-any" will do just that.So, a nested ACL can be configured for multiple criteria.
The alternate is a "match-all" where all nested options in your acl MUST be met. Hope this helps.
T -
Copy of source message to an element with graphical mapping
Hi all,
Is there a way to copy the complete source message of a mapping to an element of the destination message (with CDATA) with the graphical mapping (or UDF, but I want to avoid XSL) ?
For example, from this message:
<source>
<element>test</element>
<element2>test2</element2>
</source>
I expect the following result:
<dest>
<data><![CDATA[<source><element>test</element><element2>test2</element2></source>]]>
</data>
</dest>
Thanks for your help.
GregHi,
Use this Simple Concept
XML node into a string with graphical mapping
/people/michal.krawczyk2/blog/2005/11/01/xi-xml-node-into-a-string-with-graphical-mapping
Regards
Seshagiri -
OBIEE 11g - Maps with Google Map as Source
Hi Experts,
Am trying to create some maps using information from Google Maps as source.
In Map-viewer console, I have added Google Maps as the source in 'Manage Map Tile Layer' and was able to see the base map when I did a 'View Map/Manage Tiles'.
However when I logged into analytics and tried to import layers, am not able to see anything.
Is there anything that I am missing out. Thanks for any pointers.
- SujanaSpatial data has to be setup in the database to get layers. I tried using some of the layers from the spatial data I had and then could get a map with google map as the background map.
But couldn't find any easy alternate to fetch layer information.
Edited by: user638087 on Apr 19, 2013 1:15 AM
Edited by: user638087 on Apr 19, 2013 1:17 AM
Maybe you are looking for
-
IPad2 Issues after iOS 8.1 update
iPad2 64g wifi + cellular - very slow and non-responsive since iOS 8.1 update. nonstandard Apps seem to be working fine.. it's the standard item like photos and safari that don't respond. photos - (which I use daily to show clients examples) w
-
BSP PDF not working in ECC 6.0
Hello all, we are upgrading from 4.7 to ECC 6.0 and we have several BSP programs that create pdf reports by converting data from the r/3 spool. This following code works fine in SAP 4.7 but in ECC 6.0, I am getting the error: 'File does not begin wi
-
I just bought a new MacBook Pro...
Alright, so I've had my 12" Powerbook for over a year and a half, and lately I've been thinking of upgrading. Reason is, I use the powerbook for school stuff, but I also have a little 14" HP laptop I use for Windows stuff required for school (ie. SAM
-
Portal pointing to Backend (Multiple Application Servers)
Hello Experts, Landscape details : NW04s SP17 Portal for Travel Expense pointing to ECC 6.0 backend (running with 3 application servers). We don't have web dispather installed on the ECC 6.0 system, and client has no plan to install that also. We hav
-
Message (Error) 3518-13
I am facing the following error No GL Account is selected asset account in business partner master data I have no clue that where i am supposed to find this GL. Kind Regards, OZAIR ANWAR SHAMSI