Using Wildcards in HOST Class-Map

I want to use a wild card to match a HOST in a class-map. I want to match multiple hosts for the same site:
? Support.Cisco.com
? Employee.Cisco.com
? Helpdesk.Cisco.com
I want to match this with *.Cisco. Will this work?

You are right, my mistake
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/qos_m1h.htm#wp1128712

Similar Messages

  • Using wildcard in Host header-value

    I have a redirect in my configuration that if a host header matches a certain value, then it will redirect to https.
    Originally I had the full host header, www.domain.com (actually www[.]domain[.]com).
    However, I found out that if a user just enters "domain.com", without the www, it is not being detected and redirected.
    I want to add a wildcard for the host portion.  I tried .*[.]domain[.]com.  But it seems to be hit or miss.  Sometimes it seems to work, but other times it doesn't.
    Is this the correct format for what I'm trying to do?
    Thanks.
    Jason

    Jason-
      Can you send all of the relvant configuration? technically what you have should work, but there are some other things you might need (persistance rebalance, non-case sensitivity, etc.)  Also, you could just add another line to a match-any class for the 2nd header instead of including every possible combination.
    Regards,
    Chris Higgins

  • Acl in class-map

    Hi
    i'm a little unsure of how using ACL's works within a class map.
    I want to allow access to a web server 1.1.1.1 and deny all othetraffic coming from the outside zone to the inside zone, so i have created an acl with a
    permit http to 1.1.1.1 and a deny ip any any statement and applied it to the class map.
    when i apply this to the policy map i can either inspect, drop or pass the traffic.
    what i don't understand is how this works with the ACL permit or deny statements or the implicit deny functionality of the ACL.
    for example if I apply the pass action to this class-map/ACL how does it handle the deny ip any any statement in the ACL?
    If i am passing the traffic in the policy, does it still deny any deny statements in the ACL?
    ​​also what about multiple class maps in a policy map, wouldn't a deny statement in the first acl stop further processing in the policy map
    hope this makes sense..
    thanks for any help

    When using ACLs in a class map, a permit entry causes the ACL condition to match and a deny entry does not. So, for your ACL "permit tcp any host 1.1.1.1 eq www", any HTTP traffic to 1.1.1.1 on 80/tcp will be matched by the class map and the implicit "deny ip any any" will not be matched. There is no action implied by the ACL when used this way, only a match or no match.
    ip access-list extended ACL_HTTP
    permit tcp any host 1.1.1.1 eq www
    class-map type inspect match-any CM_HTTP
    match access-group name ACL_HTTP
    In order to actually deny the traffic, you have to specify a drop in the policy map.
    policy-map PM_HTTP
    class CM_HTTP
    inspect
    class class-default
    drop
    To illustrate the point a bit further, let's say you were going to allow HTTP and HTTPS with two ACLs and did it like this:
    ip access-list extended ACL_HTTP
    permit tcp any host 1.1.1.1 eq www
    ip access-list extended ACL_HTTPS
    permit tcp any host 1.1.1.1 eq 443
    class-map type inspect match-any CM_HTTP
    match access-group name ACL_HTTP
    match access-group name ACL_HTTPS
    policy-map PM_HTTP
    class CM_HTTP
    inspect
    class class-default
    drop
    In the above case, HTTP traffic to 1.1.1.1 is a hit on ACL_HTTP's permit statement, is matched by the class map and is inspected by the policy map. HTTPS traffic to 1.1.1.1 is a hit on ACL_HTTPS's permit statement, is likewise matched by the class map and is inspected by the policy map. The implicit deny statements (and any other deny statements you may add) only ensure that the packet doesn't match that element of the class map and doesn't prevent it from being matched against another.

  • The class-default class map

    According to Cisco dumentation (http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mpc.html)
    , the ASA is equipped with two default class-maps
    class-map inspection_default
    match default-inspection-traffic
    and
    class-map class-default
    match any
    The first makes perfect sense, but what is the class-default used for? Cisco says
    "This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own
    match any class map. In fact, some features are only available for class-default."
    But I see stuff like this:
    policy-map MyPolicy
    class class-default
      inspect tfp MyFTPpolicy
    Obviously it is being used here to act on traffic! So I am confused.
    I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)

    Hello Collin,
    This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.
    The one that you currently have (and God I hope its not applied)  will look for tftp traffic on every IP packet passing across the ASA.
    This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"
    Mike

  • How can I do this using Wildcards?

    Hi everyone,
    I have a classed called LabeledDecimal which is a subclass of BigDecimal. Now, I have a class called Pair which is written using Wildcards.
    This class has a copyFrom() method which looks like :
    public void copyFrom(T p2)
         this.first = p2.first;
         this.second = p2.second;
    }If I try to use this method like below:
    Pair<BigDecimal> p1 = new Pair<BigDecimal>();
    Pair<LabeledDecimal> p2 = new Pair<LabeledDecimal>(ld1, ld2);
    p1.copyFrom(p2);Then I get the error:
    The method copyFrom(Pair<BigDecimal>) in the type Pair<BigDecimal> is not applicable for the arguments (Pair<LabeledDecimal>)
    How do I fix the copyFrom() method to get rid of this problem using wildcards?
    Edited by: fantastic_ray on Mar 20, 2008 12:07 AM

    Figured it out!
    public void copyFrom(Pair<? extends T> p2) That will fix it.

  • Using Wildcards in Mapping Script

    Hi everybody, im new in FDM and i have some doubts about mapping scripts.
    I have to recreate this Hyperion Translation Rule into FDM:
    ACC_SAP              tm_sap     Reverse Sign         UD4
    N21099Z300     {NULL}     FALSE     CD1
    D31199Z000     {NULL}     FALSE     CD1
    ????99     *     FALSE     CD
    ACC_SAP is the source account
    TM_SAP will be loaded into UD5 (as look up)
    How could i manage with a like mapping?
    I guess using a script but im not sure how to use wildcards within scripts, is it possible?
    Another related question, in a explicit mapping, how can i manage with NULL values if i want to assign them [None] value, do i have to put NULL in th source field?
    BR and thanks

    Thanks KellyDGreen. With the exampl shown is as you say but what if tm_sap has wildcards?
    F.i
    ACC_SAP TM_SAP TARGET_CUSTOM4
    999? 123? 198276
    Suppose that TM_SAP has been stored in UD5. Source dimensions are different from target dimension so i have to do it via script, dont I?
    BR
    Francisco

  • I want to allow only specific url using class-map

    i have two  dir on server like abc and  xyz  on the web server , but i have blocked the url using class-map like *xyz*
    is there any way to allow specific url  like in dir /abc/login.html and block all the files from /abc dir

    Thanks.  Actually, I posted my query because I haven't been able to make Parental Controls in OS X do what I want. I've been trying that tool for a while.  It seems that there are sort of three options:
    1. Allow everything with no exceptions
    2. Block sites that fail an automated filter for "adult" content, and then add back allowable sites.
    3. Block everything, and then add a white list of allowed sites
    In my case, option 2 doesn't work, because frankly, I don't care if my kids choose to look at content that somebody has evaluated as "adult."  Generally, the web log says that they don't, and if that does become an issue, then I will deal with it when it arises.  
    What I want to be able to do is the direct opposite of option 3 listed above:  Allow everything except an admin-specified black list defined per user, and be able to modify that list from time to time when I have a specific issue with a specific user. 
    I just want to be able - from time to time, like when I know they are behind on school work - to be able block a short list of "innocuous" persistent time-sucking sites as Youtube, Facebook, Twitter etc., even though there is not necessarily any objection content per se on the sites I want to block for that specific user (the "user-specific, admin-defined blacklist").   It is the lost (mis-allocated) time, not the risk of loose morals that concerns me.
    Network-level solutions exist, but these do not allow me to discriminate among user accounts as far as I can tell.  If anybody knows of a good solution that works in OS X across various platforms - freeware or commercial - I will appreciate a lead.   Or, if there is a hack that will allow me to accomplish this in Parental Controls, I would appreciate a pointer in that direction, as well.

  • Same parameter-map used on 2 different classes

    Greetings,
    If the same parameter-map (type connection or http) is used on two different policy-map classes, will that create a conflict in how traffic for each of serverfarms uses persistence or inactivity timeout (script 1)?
    Should we create a different instance of parameter-maps for each policy-map class (script 2)?
    Script 1
    parameter-map type connection inactivity_2000
    set timeout inactivity 2000
    parameter-map type http persistence-rebalance
    persistence-rebalance
    policy-map multi-match L4_POLICY
    class L3-4_VIP_A
    connection advanced-options inactivity_2000
    appl-parameter http advanced-options persistence-rebalance
    loadbalance policy L7_Serverfarm_A_Policy
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    class L3-4_VIP_B
    connection advanced-options inactivity_2000
    appl-parameter http advanced-options persistence-rebalance
    loadbalance policy L7_Serverfarm_B_Policy
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    Script 2
    parameter-map type connection L3-4_VIP_A_connection
    set timeout inactivity 2000
    parameter-map type connection L3-4_VIP_B_connection
    set timeout inactivity 2000
    parameter-map type http L3-4_VIP_A_http
    persistence-rebalance
    parameter-map type http L3-4_VIP_B_http
    persistence-rebalance
    policy-map multi-match L4_POLICY
    class L3-4_VIP_A
    connection advanced-options L3-4_VIP_A_connection
    appl-parameter http advanced-options L3-4_VIP_A_http
    loadbalance policy L7_Serverfarm_A_Policy
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    class L3-4_VIP_B
    connection advanced-options L3-4_VIP_B_connection
    appl-parameter http advanced-options L3-4_VIP_B_http
    loadbalance policy L7_Serverfarm_B_Policy
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    Thanks

    you can reuse the same parameter map.
    Gilles.

  • Class-maps used for load balancing on ACE

    I am from CCS background and am trying to understand how the VIPs could be configured on an ACE module (using class maps).
    I am looking for specific information for the following :
    1. Will each VIP have a corresponding Service-policy on the VLAN Interface or can we club many VIPs (through policy-maps) onto a single service-policy entry on teh interface?
    2. I could not find any cisco doco with the configuration examples for more than one VIP address and would please like to know some examples, if possible or could some one direct me to a doco with many VIP entries ?
    - Should each VIP have a seperate class-map or can list them together?

    You will have to configure L3/L4 class-maps for corresponding VIPs. You just need a single policy with n class-maps for n VIPS.
    I am writing a sample that will hopefully help you on this
    class-map match-all app1-vip
    match virtual-address 10.1.1.1 tcp eq 80
    class-map match-any app2-vip
    match virtual-address 10.1.1.2 tcp eq 443
    policy-map type loadbalance first-match L7app1
    class class-default
    server-farm App1-farm
    policy-map type loadbalance first-match L7app2
    class class-default
    server-farm App2-farm
    policy-map multi-match All-vips
    class app1-vip
    loadbalance vip inservice
    loadbalance policy L7app1
    loadbalance vip icmp-reply active
    class app2-vip
    loadbalance vip inservice
    loadbalance policy L7app2
    loadbalance vip icmp-reply active
    int vlan 100
    ip address 10.10.10.101 255.255.255.0
    service-policy input All-vips
    Syed Iftekhar Ahmed

  • A problem with ACL in the class-map on the ACE module

                      Hi all,
    I configured the following on the ACE module:
    object-group network test
      host 192.168.1.21
      host 192.168.1.22
      host 192.168.1.23
    object-group service port
      tcp eq www
      tcp eq 8080
    access-list T line 8 extended permit object-group port object-group test any
    I tried to configure a class-map for matching this ACL:
    ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
    ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
    Error: Cannot associate acl having object-group ACEs in class-map.
    So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
    Thank you
    Roman

    Hi Roman,
    I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
    Regards
    Daniel

  • IOS Firewall: what is this class map doing?

    Hi, a few weeks ago I set up a class map but now as I am finding time to review my config, I am wondering what effect this has.  It is applied to a policy map for ssh access from the Internet to the router for management:
    class-map type inspect match-any SSH
    match protocol ssh
    match access-group name SSH
    The access list with the name "SSH" just allows certain public IP network blocks. 
    But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct? 
    Also just to ensure I am not confused about proper creation of the ACL.  The ACL with the name SSH I've given is as follows:
    ip access-list extended SSH
    permit tcp xx.xx.0.0 0.255.255.255 any eq 22
    permit tcp xx.xx.0.0 0.7.255.255 any eq 22
    permit tcp xx.xx.0.0 0.255.255.255 any eq 22
    First, am I being redundant in the class map by telling it to match protocol ssh and also specifiying port 22 in the ACL? And, is this ACL readout done properly if I want only certain IP blocks to be able to come in from the Internet, to the router, using ssh? 

    Hello Colin,
    But I think I should be setting this to match-all and not match-any if I want it to allow the ssh protocol from only my IP, correct?
    Exactly you are getting it now It needs to be a match all....
    Regarding the ACL should be like this:
    access-list SSH
    permit tcp host outside_user_ip host router_outside_interface eq 22
    Regards,

  • Source ip filtering with class map on cisco ace30

    Hello ,
    I would like to know if it is  possible to filter source ips connecting to a virtual ip  within a class map configuration ( or something else  ) ?
    access-list S_IP_FILTERING line 8 extended permit ip host 1.1.1.1 any
    class-map match-all S_IP_FILTERING_XVIP
    2 match access-list S_IP_FILTERING
    3 match virtual-address 2.2.2.2 any
    Error: Only one match access-list is allowed in a match-all class-map and it cannot mix with any other match type
    thanks for your support
    Case,

    Hi,
    Yes, it is possible to do this. Use the ACL filter for the source IP address under the policy-map type loadbalance. Then you would call that load balance policy in your multi-match policy under the appropriate class.
    for example:
    class-map type http loadbalance match-any LOADBALANCE-FILTER
      2 match source-address X.X.X.X 255.255.255.255
    class-map match-any TEST-CLASSMAP
      2 match virtual-address Y.Y.Y.Y tcp eq www
    policy-map type loadbalance first-match LOADBALANCE
      class LOADBALANCE-FILTER
        serverfarm TEST-SERVERFARM
    policy-map multi-match UTC-PM
      class TEST-CLASSMAP
        loadbalance policy LOADBALANCE
        loadbalance vip inservice
    -Alex

  • ACE - HTTPS CLASS MAP CONFIGURATION

    Hi,
    We have a secured web site (HTTPS) currently fronted by Cisco ACE 4170, running version A5(1.2). We are trying to use the http class map to manipulate the traffic flow in the following manner:
    https://abc.com/ABC/* -> serverfarm#1
    https://abc.com/* -> serverfarm#2           (Default)
    Tecnically this should not be difficult and below is a sample of our configuration. We have similar configuration working on our non-secured web site (HTTP) However for the secure web site, the https request https://abc.com/ABC/xxx is continued being routed to serverfarm#2 instead of serverfarm#1 which is very frustrating.
    We can easily get this working on my F5 LTM within 5 minutes but this Cisco ACE continue to frustrate me...Appreciate if any expert on Cisco ACE can help to advise on our configuration.. Thanks.
    =========================================================
    serverfarm host serverfarm#1
    predictor leastconns
    probe https_probe
    rserver rs_server#1
      inservice
    rserver rs_server#2
      inservice
    serverfarm host serverfarm#2
    predictor leastconns
    probe https_probe
    rserver rs_server#3
      inservice
    rserver rs_server#4
      inservice
    sticky http-cookie STICKY_HTTPS_serverfarm#1
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#1
    sticky http-cookie STICKY_HTTPS_serverfarm#2
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#2
    class-map type http loadbalance match-any class-map-serverfarm#1
    2 match http url /ABC/.*
    policy-map type loadbalance first-match vs_serverfarm_https
    class class-map-serverfarm#1
      sticky-serverfarm STICKY_HTTPS_serverfarm#1
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    class class-default
      sticky-serverfarm STICKY_HTTPS_serverfarm#2
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    =========================================================

    Kanwaljeet,
    Yes, we are using ACE for SSL termination i.e. front end is https and back-end is also https.
    We are doing end-to-end encryption as our IT security and audit wanted end-to-end encryption between the client and servers. ACE should be able to look at the HTTP header at the front end since the client SSL session is terminate on the ACE.
    Below is an extract of the configuration, I've leave out the remaining configuration which is not required.
    =========================================================
    serverfarm host serverfarm#1
    predictor leastconns
    probe https_probe
    rserver rs_server#1
      inservice
    rserver rs_server#2
      inservice
    serverfarm host serverfarm#2
    predictor leastconns
    probe https_probe
    rserver rs_server#3
      inservice
    rserver rs_server#4
      inservice
    sticky http-cookie STICKY_HTTPS_serverfarm#1
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#1
    sticky http-cookie STICKY_HTTPS_serverfarm#2
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#2
    class-map match-all vs_serverfarm
      2 match virtual-address 10.178.50.140 tcp eq https
    class-map type http loadbalance match-any class-map-serverfarm#1
    2 match http url /ABC/.*
    policy-map type loadbalance first-match vs_serverfarm_https
    class class-map-serverfarm#1
      sticky-serverfarm STICKY_HTTPS_serverfarm#1
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    class class-default
      sticky-serverfarm STICKY_HTTPS_serverfarm#2
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    policy-map multi-match PRODWEB_POLICY
      class vs_serverfarm
        loadbalance vip inservice
        loadbalance policy vs_serverfarm_https
        loadbalance vip icmp-reply active
        nat dynamic 100 vlan 100
        ssl-proxy server ssl_serverfarm
    =========================================================

  • ACE: a class-map with multiple ports... what about the probe/serverfarm?

    Hello Gilles,
    One question about something I was not able to find in the documentation.
    Lets say I have one class-map which includes 2 ports (in this case https and 5061).
    Can I associate this class-map to just 1 generic serverfarm and probe for both ports or I have to specify 2 serverfarms/rservers/probes?
    So, by not specifying the ports on the rserver, if a request is received on port 443 (or 5061), it is sent to the same respective port on the rserver?
    The same way is valid for the generic probe.  ACE module is able to probe both ports based on the class-map?
    Thanks and have a great day!!
    Giulio.
    probe tcp PROBE_GENERIC_TCP
      description This probe works for all TCP services by inheriting the VIP port.
      interval 15
      faildetect 2
      passdetect interval 15
      passdetect count 2
      open 2
    rserver host SERVER1_ACCESS
      ip address <1AC>
      inservice
    rserver host SERVER2_ACCESS
      ip address <2AC>
      inservice
    serverfarm host ACCESS-SFARM
      probe PROBE_GENERIC_TCP
      rserver SERVER1_ACCESS
        inservice
      rserver SERVER2_ACCESS
        inservice
    class-map match-any OCS_L4ACCESS
      2 match virtual-address x.x.x.176 tcp eq https
      2 match virtual-address x.x.x.176 tcp eq 5061
    policy-map type loadbalance first-match OCS_L4ACCESS
      class class-default
        sticky-serverfarm ACCESS_STICKY
    policy-map multi-match POLICY
    class OCS_L4ACCESS
    loadbalance vip inservice
    loadbalance policy OCS_L4ACCESS
    loadbalance vip icmp-reply active
    connection advanced-options OCS_VIPTIMEOUT
    nat dynamic XXX vlan 503

    Even if you use the 4710 appliance or expect the inheritance in the module software, it's worth considering if this is really what you want. If you keep multiple ports in the L3/L4 class-map you can't handle the services independently. You will have a common serverfarm for both https and 5061. If https service stops on one rserver, the ACE will place that rserver (and not that service) in out-of-operation state and it won't receive any 5061 traffic either. (You have the fail-on-all probe option but I wouldn't say it's a better choice. In that case, https traffic would be sent to the rserver even if https port is closed as long as there is at least one working service on it.) That's why I prefer a separate class-map and separate serverfarm for each service. (They can contain the same rservers, no need to duplicate.) BUT if the software supports probe port inheritance, you can benefit from it even in this scenario: serverfarm-443 and serverfarm-5061 can both use your PROBE_GENERIC_TCP.

  • Layer 7 class-map with different match types

    Hello,
    I am fighting with a problem on an ACE-4710 version A3(2.4) configuation. I just want to configure a layer 7 class-map that matches if one of two conditions is true. The problem is that these conditions are not from the same type and the ACE refuses the second match statement. However, in the configuration guide, it is clearly defined that it should be possible :
    Here is what the configuration guides says :
    host1/Admin(config)# class-map type http loadbalance match-any CLASS3
    host1/Admin(config-cmap-http-lb)# 100 match http url .*.gif
    host1/Admin(config-cmap-http-lb)# 200 match http header Host header-value XYZ
    host1/Admin(config-cmap-http-lb)# exit
    If I test exactly the same configuration in a context of my ACE, I receive an error message :
    CH01AC03/P-104-A(config)# class-map type http loadbalance match-any CLASS3
    CH01AC03/P-104-A(config-cmap-http-lb)# 100 match http url .*.gif
    CH01AC03/P-104-A(config-cmap-http-lb)# 200 match http header Host header-value XYZ
    Error: Match-any classmap can not have different type of match
    If I use nested class-maps, I receive the same error message !
    Is it a known problem or is it a solution for it ?
    Thank you for any help
    Yves

    Hello Yves,
    The command error is correct.  I'll take a look at the docs and see about getting them corrected, if necessary.
    Basically, for a match-all, you would have to use different types.  For example, there will only be one Host header, so you would only specify it once using regex or a fixed string.  As you found out, the match-any requires that they all be of the same type.  See my example below:
    class-map type http loadbalance match-all HEADER-AND-URL
      100 match http url /login.*
      200 match http header Host header-value "XYZ"
    class-map type http loadbalance match-any URLS
      100 match http url .*\.gif
      200 match http url .*\.jpg
    class-map type http loadbalance match-any HEADER
      200 match http header Host header-value "CISCO"
    policy-map type loadbalance first-match SLB_LOGIC
      class HEADER-AND-URL
        serverfarm LOGIN-FARM
      class URLS
        serverfarm IMAGES-FARM
      class HEADER
        serverfarm CISCO-FARM
      class class-default
        serverfarm WWW-FARM
    So let's say you want to match requests for URLs ending in .jpg or for requests with Host header XYZ, and if it matches either one, then send to the same serverfarm.
    class-map type http loadbalance match-any URL-JPG
      2 match http url .*\.jpg
    class-map type http loadbalance match-any HOST-XYZ
      2 match http header Host header-value "XYZ"
    policy-map type loadbalance first-match SLB_LOGIC
      class URL-JPG
        serverfarm SERVER-FARM
      class HOST-XYZ
        serverfarm SERVER-FARM
    If you wanted to send these requests to the farm only if they matched BOTH matches, then you could do it as follows:
    class-map type http  loadbalance match-all HEADER-AND-URL
       100 match http url /login.*
       200 match http header Host header-value "XYZ"
    policy-map type  loadbalance first-match SLB_LOGIC
       class HEADER-AND-URL
         serverfarm LOGIN-FARM
    Hope this helps,
    Sean

Maybe you are looking for