Forum Discussion

m0j0's avatar
m0j0
Icon for Altostratus rankAltostratus
Dec 14, 2022

"Content Switching" to non-addressable virtual server

Coming from a Netscaler world and trying to implement similar solutions on F5...

In our Netscaler environment, we have a few content switching vservers that forward traffic to LB vservers depending on host / URL in the GET.  I understand I can do the content switching with an iRule, eg

when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "www.mycompany.com" { virtual virtual_server_A } "email.mycompany.com" { virtual virtual_server_B } } }

My question is regarding the target virtual servers (ie virtual_server_A and virtual_server_B in the above example).  With the Netscaler, we configure these LB vservers as non-addressable to conserve public address space.  Looking around on how to do the same on F5, I've come across two possible options that seem like they may do the same thing if I'm comprehending the wording correctly.

1) Create a virtual server as type "Internal" which is only addressable from other virtual servers and doesn't have an address assigned to it.  This seems like the same as non-addressable vservers in Netscaler, but whenever I read about it, the documentation mentions that these virtual servers are for Internet Content Adaptation Protocol (ICAP) server for content adaptation.  I don't really understand what this means but it has me wondering if it's not suited for what I want to do.

2) A "network virtual server".  From what I read, this involves setting up a standard virtual server but for the destination address, use 0.0.0.0/0 instead of a real IP.  Again, this sorta looks like what a non-addressable vserver looks like when configured on a Netscaler.

Are either of these correct for what I want to do, or is there a more correct option I haven't discovered yet?  I'm reluctant to just experiment because the devices now sit on the other side of the world and I don't want to do something that might somehow break my access.  I know it shouldn't, but I'm erring on the side of caution.

  • m0j0If your intent is to save IP space and this traffic is stricly for http you can get away with a fairly simple iRule that will catch everything that comes through on the one virtual server

    when CLIENT_ACCEPTED {
    
        set DEFAULT_POOL [LB::server pool]
    
    }
    
    when HTTP_REQUEST {
    
        set HOST [string tolower [HTTP::host]]
    
        switch -glob $HOST {
    
            "www.mycompany.com"
            {
                pool pool1
            }
            "email.mycompany.com" {
                pool pool2
            }
            default {
                pool $DEFAULT_POOL
            }
    
        }
    
    }

    If any of these sites run over HTTPS then you would have to perform SSL termination on that particular virtual server before using the above iRule on it as well if you send the decrypted traffic to the servers. Typically you would have 2 pools one for 80 and one for 443 but the pool members would typically use an alternate port such as 8080 so that you can differentiate between what came in as HTTP and what came in as HTTPS traffic. If you have multiple SSL certificates you can go a step further and use SNI on the virtual server but I would recommend going the route of having a SAN SSL cert or wildcard SSL cert depending on the SSL FQDNs that you are using.

  • Hi m0j0,

    first of all - everything said above is right. I just want to expand a bit on the differences between Citrix and F5.

    In Citrix, if memory serves, you have separate vservers for Content Switching that work on L7 and vservers that do L4 loadbalancing. 
    In F5 you can do that with one virtual server. You don't have to layer things like in Citrix.
    Depending on the parameters you set for a virtual server, it'll be either a L7 or a L4 virtual. The loadbalacing decission is made at the level of the loadbalancing pool. One of the properties of a pool is the load balancing method used.

    Hope this cleared up some things.
    Daniel

  • m0j0If your intent is to save IP space and this traffic is stricly for http you can get away with a fairly simple iRule that will catch everything that comes through on the one virtual server

    when CLIENT_ACCEPTED {
    
        set DEFAULT_POOL [LB::server pool]
    
    }
    
    when HTTP_REQUEST {
    
        set HOST [string tolower [HTTP::host]]
    
        switch -glob $HOST {
    
            "www.mycompany.com"
            {
                pool pool1
            }
            "email.mycompany.com" {
                pool pool2
            }
            default {
                pool $DEFAULT_POOL
            }
    
        }
    
    }

    If any of these sites run over HTTPS then you would have to perform SSL termination on that particular virtual server before using the above iRule on it as well if you send the decrypted traffic to the servers. Typically you would have 2 pools one for 80 and one for 443 but the pool members would typically use an alternate port such as 8080 so that you can differentiate between what came in as HTTP and what came in as HTTPS traffic. If you have multiple SSL certificates you can go a step further and use SNI on the virtual server but I would recommend going the route of having a SAN SSL cert or wildcard SSL cert depending on the SSL FQDNs that you are using.

  • Hi mojo,

    in the F5 world, a VS-targeting-VS setup is using real network connections between the VS instances. So you have to use IPs on both sides.

    The VS_FrondEnd IP must be acessible by your clients for obvious reasons, but the VS_BackEnd IP may become only accessible by the F5 itself by assigning non route-able IPs.

    You can basically choose any private IP and assign the IP to your VS_BackEnd. The IP used must not match any of the F5 attached subnets and your network dont need to route the IP to your F5, the IP must only be unique in your network and reside in the same Route-Domain.

    Cheers, Kai

  • Hi m0j0,

    first of all - everything said above is right. I just want to expand a bit on the differences between Citrix and F5.

    In Citrix, if memory serves, you have separate vservers for Content Switching that work on L7 and vservers that do L4 loadbalancing. 
    In F5 you can do that with one virtual server. You don't have to layer things like in Citrix.
    Depending on the parameters you set for a virtual server, it'll be either a L7 or a L4 virtual. The loadbalacing decission is made at the level of the loadbalancing pool. One of the properties of a pool is the load balancing method used.

    Hope this cleared up some things.
    Daniel

  • m0j0's avatar
    m0j0
    Icon for Altostratus rankAltostratus

    Just reading some comments now that Local Traffic Policies are a better option than iRules for content switching so I'll look at that.  That still leaves the main question about how to have non-addressable target virtual servers for the switching destination, of course.

  • m0j0's avatar
    m0j0
    Icon for Altostratus rankAltostratus

    Thanks guys.  Everything you say makes perfect sense now that I sit back and look at it. The way Netscaler does content switching always annoyed me and being able to make more granular decisions at the virtual server was something I always wanted.

    It's going to take me a while to get out of the Netscaler headspace.  Unfortunately, I'm going to have to support both platforms for some time to come so I can't forget it completely.