Forum Discussion
Nimbostratus1 VIP accepts on "0" and passes to 3 different pools based on dest port
Hello all,
I need to create a VIP which takes in all traffic on all ports, then an iRule sends 80,443 to one pool, 3120 to another pool, 3121 to another pool, and drops all remaining traffic. I also need to insure true-client-IP is input in the header for all three pools. I have been trying to figure out iRules and saw nothing on this config in the forums. Does anyone have any past examples?
7 Replies
Why don't you simply create four different Virtual Servers, all using the same IP, but different ports? If you don't use SNAT on the VSs, then the client will see the original client IP (naturally, they must have a route back to the client, which traverses the BIG-IP -- unless you're using direct server return).
IainThomson85_1Cumulonimbus
As Vernon mentions - Creating 4 VIPS (if your list of 4 ports is exhaustive) would be the far simplest implementation.
If you're stuck on the True-Client-IP variable, there's plenty of articles on Dev Central.
Just do a quick search
benniehanas_239The issue here is that the traffic is generated by Akamai IP, they also send True-Client-IP. The True-Client-IP is what I need to pass to the backend servers. I can just create 3 VS instead of just one, but wanted my config to be cleaner and less cluttered. Do you think it is still best to create 3?
VernonWellsEmployee
Why don't you simply create four different Virtual Servers, all using the same IP, but different ports? If you don't use SNAT on the VSs, then the client will see the original client IP (naturally, they must have a route back to the client, which traverses the BIG-IP -- unless you're using direct server return).
- IainThomson85_1
As Vernon mentions - Creating 4 VIPS (if your list of 4 ports is exhaustive) would be the far simplest implementation.
If you're stuck on the True-Client-IP variable, there's plenty of articles on Dev Central.
Just do a quick search
- benniehanas_239
The issue here is that the traffic is generated by Akamai IP, they also send True-Client-IP. The True-Client-IP is what I need to pass to the backend servers. I can just create 3 VS instead of just one, but wanted my config to be cleaner and less cluttered. Do you think it is still best to create 3?
- VernonWells
If your only objective is to pass the True-Client-IP HTTP header without alteration, and the Akamai source is inserting that header itself, you don't need an iRule, and in fact, don't even need the http profile on the Virtual Servers. In this case, separate Virtual Servers are definitely cleaner and more performant. If you need to either generate the True-Client-IP header, or need to make the source IP of traffic toward your servers be the True-Client-IP address, then an iRule and the http profile are both required. Even in this case, it's more performant to use separate Virtual Servers, and as I say, as long as the number of destination ports is low, then it is (in my opinion) still cleaner.
Incidentally, if the BIG-IP must parse or insert the True-Client-IP, and if the traffic bound for port 443 is SSL, you must terminate the SSL on the BIG-IP. If you are simply passing the header along, then as with all of the other Virtuals, you may simply use a FastL4 profile.
As
@IanThomson85points out, there are a number of DevCentral discussions along a similar vein. For example:
