Forum Discussion

Cory_Blankenshi's avatar
Cory_Blankenshi
Icon for Altostratus rankAltostratus
Aug 12, 2021

How does the BIG-IP process multiple LTM policies on a virtual server?

I have a LTM traffic policy on a virtual server that I use to perform hostname-based routing for 10 different applications. There is a rule for each app, and once there is a match on the hostname, no further rules are evaluated and traffic is forwarded appropriately.

 

Hypothetically, let's say that instead of using a single policy and multiple rules, I created a new policy for each of the 10 apps, with each policy having only one rule to route traffic for a single app. If a request for App_1 comes through and the hostname matches the rule in Policy_1, would the rules in policies 2-10 be evaluated, or would the evaluation stop similar to what happens with a single policy and multiple rules?

 

I'd love to hear any thoughts on this. I've been reading through the BIG-IP documentation but I haven't found anything yet, so any help would be greatly appreciated. :)

application delivery
BIG-IP
devops
LTM
  • adando's avatar
    adando
    Icon for Nimbostratus rankNimbostratus
    Oct 10, 2024

    Just a public service announcement in case other people land at this page:

    One thing to be aware of with multiple LTM policies is that you cannot attach multiple policies to a VS if those policies have 'conflicting controls' - this means that the policies use the same controls. 

    I was setting up a tier 1 VS (in the "VIP targeting VIP style", see this Subreddit post for more info) where the HTTP Host field would be used to forward traffic to a different VS.  For various reasons our organisation wanted to use one LTM policy on the tier 1 VS per 'child' virtual server, rather than one policy with multiple rules (i.e. one rule per child VS).  So I did the following on a dev box:

    1. Create a VS "T1" acting as the tier 1.  Create two dummy VSes "A" and "B".
    2. Create two datagroups "A" and "B".  "A" contains "test.com", "B" contains "google.com"
    3. Create & publish LTM policy "A" with rule to match the HTTP Host header against datagroup A, action: forward to virtual server "A".
    4. Create & publish LTM policy "B" with rule to match the HTTP Host header against datagroup B, action: forward to virtual server "B".
    5. Attach LTM policy A to VS "T1"
    6. Attach LTM policy B to VS "T1"

     

    When you attempt step 6, this will fail with the following error:

    "010716fd:3: Virtual Server /build_test/T1' cannot contain policies with conflicting controls."

    This is documented by F5 here: https://my.f5.com/manage/s/article/K55864758

    Because we have our reasons for not wanting to use the rule-per-VS approach we will fall back to using an iRule which targets a datagroup.

  • Amritkp's avatar
    Amritkp
    Icon for Altocumulus rankAltocumulus
    Aug 13, 2021

    I beleive all the 10 Policies will be evaluated irrespective of a match found or not. So, keeping all the 10 options under a single policy will be a better approach.

    • Cory_Blankenshi's avatar
      Cory_Blankenshi
      Icon for Altostratus rankAltostratus
      Aug 19, 2021

      I figured that was the case, but I wanted to verify before splitting up my policy. :)

       

      Thanks!