Re: [squid-users] routing OR different IP address

From: Edward <edward@dont-contact.us>
Date: Sun, 6 May 2001 19:02:11 -0400

I just need to fine tune the ACL.

now to load balance 2 cache server:

Access-list 110 deny tcp any any neq 80

access-list 110 deny tcp host cache1.company.com any

access-list 110 deny tcp host cache2.company.com any.access-list 110 permit tcp any 0.0.0.0 255.255.255.254

access-list 110 deny tcp any any

access-list 120 deny tcp any any neq 80

access-list 120 deny tcp host cache1.company.com any

access-list 120 deny tcp host cache2.company.com any

access-list 120 permit tcp any 0.0.0.1 255.255.255.254

access-list 120 deny tcp any any

route-map cache permit 110

match ip address 110

set ip next-hop cache1.company.com

route-map cache permit 120

match ip address 120

set ip next-hop cache2.company.com

 In my case, I do not want to load balance.

        My cache have 1 NIC w/ 2 ip's

Now I should need 1 route-map cache permit #

I also need one access-list.

I believe that this should work properly (haven't fully tested it as of yet).

access-list 110 deny tcp any any neq www
access-list 110 deny tcp host 200.50.68.7 any
access-list 110 deny tcp host 64.110.11.2 any
access-list 110 permit tcp any any
access-list 110 deny tcp any any

If it doesn't work, then I would have to load balance on the same nic.

So far, my prelim results doesn't llok good for the previous access-list.

----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "Edward" <edward@cariaccess.com>
Cc: "squid" <squid-users@squid-cache.org>
Sent: Sunday, May 06, 2001 3:51 PM
Subject: Re: [squid-users] routing OR different IP address

> Edward wrote:
>
> > I have the a policy route to the cache on one ip address.
> >
> > eg
> > access-list 110 deny tcp any any neq www
> > access-list 110 deny tcp host 200.50.68.7 any
> [...]
> > The other IP is 64.110.11.2.
> >
> > As you can see here, the ciso is only sending to the 200.50.68.7.
> >
> > What I believe here, after sending you that email, 64.110.11.2 is not
> > getting pass the router faste0/0 interface.
>
> Correct. Your Cisco does not know that 64.110.11.2 should not be
> redirected to 200.50.68.7.
>
> I seem to remember that your clients is actually on different subnets
> than your servers. In such case it is probably better to reverse the
> router ACL to tell what should be redirected rather than what should
> not. I.e. only redirect your client networks to the proxy.
>
> > If that is the case then I will have to add
> >
> > access-list 110 deny tcp host 64.110.11.2 any
> >
> > to the access-list.
> >
> > What do you think Henrik?
>
> Not a Cisco expert, but it looks like a step in the correct direction.
>
> --
> Henrik Nordstrom
> Squid Hacker
>
Received on Sun May 06 2001 - 17:01:51 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:51 MST