"Content Switching" to non-addressable virtual server
Coming from a Netscaler world and trying to implement similar solutions on F5...
In our Netscaler environment, we have a few content switching vservers that forward traffic to LB vservers depending on host / URL in the GET. I understand I can do the content switching with an iRule, eg
when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "www.mycompany.com" { virtual virtual_server_A } "email.mycompany.com" { virtual virtual_server_B } } }
My question is regarding the target virtual servers (ie virtual_server_A and virtual_server_B in the above example). With the Netscaler, we configure these LB vservers as non-addressable to conserve public address space. Looking around on how to do the same on F5, I've come across two possible options that seem like they may do the same thing if I'm comprehending the wording correctly.
1) Create a virtual server as type "Internal" which is only addressable from other virtual servers and doesn't have an address assigned to it. This seems like the same as non-addressable vservers in Netscaler, but whenever I read about it, the documentation mentions that these virtual servers are for Internet Content Adaptation Protocol (ICAP) server for content adaptation. I don't really understand what this means but it has me wondering if it's not suited for what I want to do.
2) A "network virtual server". From what I read, this involves setting up a standard virtual server but for the destination address, use 0.0.0.0/0 instead of a real IP. Again, this sorta looks like what a non-addressable vserver looks like when configured on a Netscaler.
Are either of these correct for what I want to do, or is there a more correct option I haven't discovered yet? I'm reluctant to just experiment because the devices now sit on the other side of the world and I don't want to do something that might somehow break my access. I know it shouldn't, but I'm erring on the side of caution.
m0j0If your intent is to save IP space and this traffic is stricly for http you can get away with a fairly simple iRule that will catch everything that comes through on the one virtual server
when CLIENT_ACCEPTED { set DEFAULT_POOL [LB::server pool] } when HTTP_REQUEST { set HOST [string tolower [HTTP::host]] switch -glob $HOST { "www.mycompany.com" { pool pool1 } "email.mycompany.com" { pool pool2 } default { pool $DEFAULT_POOL } } }
If any of these sites run over HTTPS then you would have to perform SSL termination on that particular virtual server before using the above iRule on it as well if you send the decrypted traffic to the servers. Typically you would have 2 pools one for 80 and one for 443 but the pool members would typically use an alternate port such as 8080 so that you can differentiate between what came in as HTTP and what came in as HTTPS traffic. If you have multiple SSL certificates you can go a step further and use SNI on the virtual server but I would recommend going the route of having a SAN SSL cert or wildcard SSL cert depending on the SSL FQDNs that you are using.
Hi m0j0,
first of all - everything said above is right. I just want to expand a bit on the differences between Citrix and F5.
In Citrix, if memory serves, you have separate vservers for Content Switching that work on L7 and vservers that do L4 loadbalancing.
In F5 you can do that with one virtual server. You don't have to layer things like in Citrix.
Depending on the parameters you set for a virtual server, it'll be either a L7 or a L4 virtual. The loadbalacing decission is made at the level of the loadbalancing pool. One of the properties of a pool is the load balancing method used.Hope this cleared up some things.
Daniel