Forum Discussion

Felix_Marwede's avatar
Felix_Marwede
Icon for Nimbostratus rankNimbostratus
May 26, 2016

APM VPE - Different branch rules depending on different IP Subnet Match via classmatch data group?

Hi there,

 

we are trying to allow a specific Feature or progress only, when internal and specific other Source IP addresses which hit the VIP are in the list of "IP Subnet Match". As these are getting more and more and I would also like to include Comments, I need to use a data group instead.

 

How can I say now in a Branch Rule, that it should do an Source IP address match this data group IP addresses instead of this "subnet match"? There might be some obvious ways to do that, but currently I have no idea.

 

Maybe also an advanced expression in the branch rule using something like "

 

if { [class match [IP::addr [IP::client_addr] equals source-ips] } { do something }

 

Any ideas for this issue?

 

Thanks in advance for your feedback!

 

Best regards, Felix

 

APM
application delivery
branch rules
ip subnet match
LTM
vpe

4 Replies

Sort By
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 26, 2016

    Hi,

     

    As far as I know, you can't execute this command from within the VPE directly. You will need to define an irule to achieve the job and assign a apm variable with a value depending on the result of your test. Then, the variable can be used to branch if needed.

     

    You can use the "iRule Event" block and the ACCESS_POLICY_AGENT_EVENT event in the irule.

     

    You also have an IP Subnet Match block on the vpe where you can define branches.

     

  • Felix_Marwede's avatar
    Felix_Marwede
    Icon for Nimbostratus rankNimbostratus
    May 26, 2016

     

    Thats what I mean...

     

    to Yann: uuh that makes everything a little bit more complicated as the VPE settings only...

     

    • Nolan_Jensen's avatar
      Nolan_Jensen
      Icon for Cirrostratus rankCirrostratus
      Oct 08, 2021

      Felix,

       

      Did you ever figure out how to reference a irule that looks at at datagroup inside of access policy? If so would you mind sharing your irule as I am not able to figure it out.

       

      Thank you!

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 26, 2016

    Ok,

     

    so you will have better to call an irule with the irule event block and assign a variable to 1 or 0 depending of the matching of the client ip with your datagroup. You place this block before your ip subnet check. Then, you check that the value is 1 in the expr of the branch