Forum Discussion

Nimbostratus

Jan 07, 2013

Content switching with SSL offloading on a single virtual server address

Hi guys we are planning to implement content-switching and just using one virtual server ip address. This single ip will represent multiple urls with SSL. This is in order for our client to save...

Employee

Jan 13, 2013

can you help me how can I include an ip filter that only allows certain ip addresses to access the pool? Should I use matchlass? how to include it in the irule? you should use "class" command.

e.g.

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.14:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vlans-disabled
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when CLIENT_ACCEPTED {
   if { not [class match -- [IP::client_addr] equals allow_ip_class] } {
      log local0. "[IP::client_addr]:[TCP::client_port] is rejected"
      reject
   } else {
     log local0. "[IP::client_addr]:[TCP::client_port] is accepted"
   }
}
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal allow_ip_class
ltm data-group internal allow_ip_class {
    records {
        192.168.206.33/32 { }
    }
    type ip
}

[root@ve11a:Active:Changes Pending] config  tail -f /var/log/ltm
Jan 14 14:24:29 ve11a info tmm[11170]: Rule /Common/myrule : 172.28.19.251:48999 is rejected
Jan 14 14:24:36 ve11a info tmm1[11170]: Rule /Common/myrule : 192.168.206.33:54606 is accepted

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)