Forum Discussion
"Content Switching" to non-addressable virtual server
- Dec 14, 2022
m0j0If your intent is to save IP space and this traffic is stricly for http you can get away with a fairly simple iRule that will catch everything that comes through on the one virtual server
when CLIENT_ACCEPTED { set DEFAULT_POOL [LB::server pool] } when HTTP_REQUEST { set HOST [string tolower [HTTP::host]] switch -glob $HOST { "www.mycompany.com" { pool pool1 } "email.mycompany.com" { pool pool2 } default { pool $DEFAULT_POOL } } }
If any of these sites run over HTTPS then you would have to perform SSL termination on that particular virtual server before using the above iRule on it as well if you send the decrypted traffic to the servers. Typically you would have 2 pools one for 80 and one for 443 but the pool members would typically use an alternate port such as 8080 so that you can differentiate between what came in as HTTP and what came in as HTTPS traffic. If you have multiple SSL certificates you can go a step further and use SNI on the virtual server but I would recommend going the route of having a SAN SSL cert or wildcard SSL cert depending on the SSL FQDNs that you are using.
- Dec 14, 2022
Hi m0j0,
first of all - everything said above is right. I just want to expand a bit on the differences between Citrix and F5.
In Citrix, if memory serves, you have separate vservers for Content Switching that work on L7 and vservers that do L4 loadbalancing.
In F5 you can do that with one virtual server. You don't have to layer things like in Citrix.
Depending on the parameters you set for a virtual server, it'll be either a L7 or a L4 virtual. The loadbalacing decission is made at the level of the loadbalancing pool. One of the properties of a pool is the load balancing method used.Hope this cleared up some things.
Daniel
Hi mojo,
in the F5 world, a VS-targeting-VS setup is using real network connections between the VS instances. So you have to use IPs on both sides.
The VS_FrondEnd IP must be acessible by your clients for obvious reasons, but the VS_BackEnd IP may become only accessible by the F5 itself by assigning non route-able IPs.
You can basically choose any private IP and assign the IP to your VS_BackEnd. The IP used must not match any of the F5 attached subnets and your network dont need to route the IP to your F5, the IP must only be unique in your network and reside in the same Route-Domain.
Cheers, Kai
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com