From: Sasa Milic (smilic2@pexim.co.yu)
Date: Mon Jun 25 2007 - 03:22:27 ART
> match protocol http host "abc.com" matches all packets comming FROM
> abc.com. So, any policy that matches http host must be an inbound policy.
MS,
I did some testing in my lab, and found that match by host is somewhat
special. You really apply output policy (from server to client), but router
watches input traffic (from client to server) and once it matches host in
GET request (via regexp), all traffic from host (which is now known by IP
address) to client is matched (although there is no 'Host' field in HTTP
REPLY) and processed in output policy. That's how it works. Tested with web
server, client, router and sniffer. It doesn't work with asymetric routing
(tested) when client to server traffic goes via some other router.
Regards,
Sasa
----------------------------------
Sasa Milic, CCIE #8635 (R&S), CCSP
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:51 ART