Forum Discussion

rgk_76855's avatar
rgk_76855
Icon for Nimbostratus rankNimbostratus
Feb 25, 2010

LTM for URL/URI Filtering only (Very Urgent)

Dear All,

 

 

For URL filtering, please find attached customer's test case I have created where I want to use LTM non-inline and will send the Youtube traffic of 95 Mbps on LTM using PBR.

 

 

From all outgoing PBR traffic of Youtube, I want to block certain URL/URI links.

 

 

(For example: http://www.youtube.com/watch?v=4BOOs3EbR0w&feature=featured )

 

 

LTM to perfom only URL filtering for outgoing traffic and give the traffic to its default gateway.

 

 

Return traffic will reach the client via normal routing and should not pass from the LTM.

 

 

In our test case we will not use any cache / proxy server as well as LTM's proxy feature.

 

 

We just want LTM to take the traffic from internal interface and out the traffic from external interface and do perform URL/URI filtering using iRule and normal routing to its default Gateway without changing the source address of the client.

 

 

Please give your advise on this test case and attached diagram. According to the iRule in diagram please tell me that how and where I will add the listed 50 to 60 Youtube URL/URIs and what will be my VS in this scenario?

 

 

Thanks

 

 

Rehan
config
design

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 26, 2010
    Conceptually, this seems possible to do with an iRule as long as the core router knows to route the requests but not the responses to LTM. Have you tried testing it? You'd need to configure a standard 0.0.0.0/0.0.0.0 port 80 VIP with an HTTP profile in order to use the iRule on all requests. Also, you might want to set the host to lower case before checking it in the datagroup:

     

     

    if {[matchclass [string tolower [HTTP::host]] equals PTA_Blocked_list]}{

     

     

    You'd potentially need to handle IP addresses as well--else clients could use the IP and bypass the filtering.

     

     

    If you want to do the same validation for HTTPS traffic, you'd need a cert which the browsers accept for all external sites. You could add that to another 0.0.0.0/0.0.0.0 port 443 VIP with a client and server SSL profile added.

     

     

    Aaron