Forum Discussion
F5_LB_Eng
Cirrostratus
Cirrostratusrestrict access Irule needed
note- this url - abc.f5.corp.net should access from the servers from usahvmfla721 and usahvmfla722 .. "usahvmfla721 - 10.1.11.49 usahvmfla722 - 10.1.11.50..
i feel we can create one class and map the class to the irule...
i need rule for this request.
could some one help me ASAP.
- Kevin_Stewart
Employee
It's a little unclear what you're trying to do, so I'll assume you only want to allow access the URL/VIP (abc.f5.com) from the two listed addresses - and that you want to use a data group to store those addresses. If that's the case:
-
Create an address-based data group. Example (my_ip_datagroup):
10.1.11.49 mask 255.255.255.255 10.1.11.50 mask 255.255.255.255 -
Create an iRule like this:
when CLIENT_ACCEPTED { if { not ( [class match [IP::client_addr] equals my_ip_datagroup] ) } { reject } }
You could also do this in a packet filter rule and prevent the 3-way handshake that the above iRule will allow.
-
F5_LB_Engi got one more , this will work ??
b class client_class '{ host 10.1.11.49 host 10.1.11.50 }'
b rule CLIENT_ACCEPTED_RULE '{ when HTTP_REQUEST { if { [matchclass [IP::remote_addr] equals $::client_class] } else { discard }} }'
- F5_LB_Eng
b class alfaws_class '{ host 10.1.11.186.49 host 10.1.11.50 }'
b rule CLIENT_ACCEPTED_RULE '{ when HTTP_REQUEST { if { [matchclass [IP::remote_addr] equals $::alfaws_class] }{ pool abc.f5.corp.net } else { discard }} }'
- Kevin_Stewart
That should work depending on your BIG-IP version. The matchclass command is deprecated in v11.
- F5_LB_Eng
the version running in my LB is Version 10.2.4 771.0..i think it should work ???
- Kevin_Stewart
The matchclass command will still work in v10.2, but you'll run into problems upgrading to v11. The new class commands will work in v10.2, however, so probably better to switch over now.
- F5_LB_Eng
Ok thank will try and update you
