Forum Discussion
Andrés_Ortiz_10
Nimbostratus
NimbostratusLDAP traffic
Hi,
I try to address my LDAP traffic according to it belongs to a IP range or another.
I think that I can do this by this way but
I don't know how to describe and compare range using "class" and "findclass".
What do you think?
Andrés :-Z
class myPoolA{
"10.16.13.25" "10.16.13.48"
}
class myPoolB{
"10.16.13.89" "10.16.13.112"
}
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
set myPoolA [findclass[findstr [TCP::payload] LOGIN-IP 9 "MSISDN"] $::myPoolA...???]
if {$myPoolA!= ""}{
pool $myPoolA
}
set myPoolB [findclass[findstr [TCP::payload] LOGIN-IP 9 "MSISDN"] $::myPoolB....???]
if {$myPoolA!= ""}{
pool $myPoolB
}
TCP::release
}
- To perform comparison of client IP address with a list of addresses or subnets in a Data Group List (class), define your class as type "Address", then use matchclass instead of findclass.
First define these classes as type "Address":
Then this iRule will distribute the traffic:class LDAP_GroupA { "network 10.16.13.0/26" "host 10.10.10.1" } class myPoolB{ "network 10.16.13.64/26" "host 10.10.10.2" }
Any request with no LOGIN-IP value or an address not in either class will go to the default pool.when RULE_INIT { set ::defaultPool myPool } when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { set LoginIP [findstr [TCP::payload] LOGIN-IP 9 "MSISDN"] if {$LoginIP != ""}{ if { [matchclass $LoginIP equals $::LDAP_GroupA]}{ pool PoolA } elseif { [matchclass $LoginIP equals $::LDAP_GroupB]}{ pool PoolA } } else { pool $::defaultPool } TCP::release }
HTH
/deb - (added default pool logic to previous post)
Andrés_Ortiz_10I have proved it in a probe environment and it works
thanks a lot- Andrés_Ortiz_10the request that we send is:
ldapsearch -h 10.237.0.255 -b o=SIU "LOGIN-IP=10.146.248.2" MSISDN
we can not send mask in the request.
this is the irule:
...................................
class LDAP_GroupA {
"network 10.16.13.0/26"
}
class myPoolB{
"network 10.16.13.64/26"
}
...................................
when RULE_INIT {
set ::defaultPool myPool
}
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
set LoginIP [findstr [TCP::payload] LOGIN-IP 9 "MSISDN"]
if {$LoginIP != ""}{
if { [matchclass $LoginIP equals $::LDAP_GroupA]}{
pool PoolA
} elseif { [matchclass $LoginIP equals $::LDAP_GroupB]}{
pool PoolA
}
} else {
pool $::defaultPool
}
TCP::release
}
............................................................................
We have tried in a real enviroment a it not works, it result the next error:
............................................................................
Jun 27 11:42:36 tmm tmm[1658]: 01220002:6: Rule LDAP_IRULE : IP Capturada: 10.146.248.200
Jun 27 11:42:36 tmm tmm[1658]: 01220001:3: TCL error: Rule LDAP_IRULE - missing "mask"Invalid class element 10.146.248.20 for class LDAP_GroupA invoked from within "matchclass $LoginIP equals $::LDAP_GroupA"
any idea to resolve this??
thanks in advantage - Looks like the class member format may not be correct.
Did you create the class as type "Address"? - Andrés_Ortiz_10Yes, muy class is type "Address"
