Restrict access from VIP1 to VIP2


How can I restrict one Virtual Service to use another Virtual Service?. The settings in "Service Specific Access Control" does not work for me.

I set up a Virtual service to serve SSH (VIP1). The real server is in a remote DMZ subnet, I then use the "Service Specific Access Control" on another service (VIP2 with remote real servers in another subnet) to deny that DMZ subnet access to the service. Once logged on to the SSH (VIP1), I can access the other virtual service (VIP2).

However, the setting do work if I come from a non load balanced machine in the same DMZ subnet.

Is this per design or am I missing something fundamental?

I am using LM3000 in HA.



1 comment

Tony Vaughan

Hello from what you are saying the flow of traffic is
Client -> VS 1 -> non-Local RS 1 (DMZ) -> VS 2 -> non-Local RS2 (internal?)
I am making some guesses on your network setup

if you are unable to give full details here I would recommend opening up a support ticket
for now is it possible can you get a TCP dump from the LoadMaster to confirm that VS 2 is seeing the client's IP

what you are saying is correct I would expect the ACL to drop the request
again i would need to get a better understanding or the topology and VS settings