Forum Discussion
NimbostratusI rule
Can some give me an Irule to loadbalance multiple pools for the same VIP
pool x 443 would be default
Pool y 5222
pool z 5223
37 Replies
G_romano_187703Hi,
Try this,
when CLIENT_ACCEPTED { if { [TCP::server_port equals 5223}{ Pool pool-tcp-port-5223 } elseif {[TCP::server_port] equals 5222} {pool pool-tcp-port-5222} elseif{ [TCP::server_port equals 443}{ pool pool-tcp-port-443 } } Bye!!!
Giorgio
abi1980_184094thanks romano will try and let you know- abi1980_184094germano one more quick question Can i use a single SNAT for all these pools
nitass_89166Noctilucent
when CLIENT_ACCEPTED { if { [TCP::server_port equals 5223}{ Pool pool-tcp-port-5223 } elseif {[TCP::server_port] equals 5222} {pool pool-tcp-port-5222} elseif{ [TCP::server_port equals 443}{ pool pool-tcp-port-443 } }
i understand serverside connection is not available in CLIENT_ACCEPTED, so you may use TCP::local_port instead of TCP::server_port.
Can i use a single SNAT for all these pools
of course.
- abi1980_184094Thanks for the reply Nitass Can you explain me the difference between server_port and local_port
- G_romano_187703Hi nitass, Soru but I don't understand when you said: "i understand serverside connection is not available in CLIENT_ACCEPTED, so you may use TCP::local_port instead of TCP::server_port." At this link (https://clouddocs.f5.com/api/irules/TCP__server_port.html) the event CLIENT_ACCEPTED is a valid event! Where do I wrong? Thanx Giorgio
- nitass
Employee
when CLIENT_ACCEPTED { if { [TCP::server_port equals 5223}{ Pool pool-tcp-port-5223 } elseif {[TCP::server_port] equals 5222} {pool pool-tcp-port-5222} elseif{ [TCP::server_port equals 443}{ pool pool-tcp-port-443 } }
i understand serverside connection is not available in CLIENT_ACCEPTED, so you may use TCP::local_port instead of TCP::server_port.
Can i use a single SNAT for all these pools
of course.
- abi1980_184094Thanks for the reply Nitass Can you explain me the difference between server_port and local_port
- G_romano_187703Hi nitass, Soru but I don't understand when you said: "i understand serverside connection is not available in CLIENT_ACCEPTED, so you may use TCP::local_port instead of TCP::server_port." At this link (https://clouddocs.f5.com/api/irules/TCP__server_port.html) the event CLIENT_ACCEPTED is a valid event! Where do I wrong? Thanx Giorgio
- nitass
Can you explain me the difference between server_port and local_port
iRules Concepts: Considering Context part 1 by Colin Walker
https://devcentral.f5.com/articles/irules-concepts-considering-context-part-1TCP::local_port
https://devcentral.f5.com/wiki/iRules.TCP__local_port.ashxTCP::server_port
https://devcentral.f5.com/wiki/iRules.TCP__server_port.ashx- abi1980_184094thanks for sharing
- nitass_89166
Can you explain me the difference between server_port and local_port
iRules Concepts: Considering Context part 1 by Colin Walker
https://devcentral.f5.com/articles/irules-concepts-considering-context-part-1TCP::local_port
https://devcentral.f5.com/wiki/iRules.TCP__local_port.ashxTCP::server_port
https://devcentral.f5.com/wiki/iRules.TCP__server_port.ashx- abi1980_184094thanks for sharing
- nitass_89166
At this link (https://devcentral.f5.com/wiki/iRules.TCP__server_port.ashx) the event CLIENT_ACCEPTED is a valid event!
Where do I wrong?i understand serverside connection is not established when CILENT_ACCPETED is triggered, so TCP::server_port won't be available at that time.
e.g.
configuration [root@ve11c:Active:Sync Failed] config tmsh list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 7 } [root@ve11c:Active:Sync Failed] config tmsh list ltm rule qux ltm rule qux { when CLIENT_ACCEPTED { log local0. "[TCP::server_port]" } when SERVER_CONNECTED { log local0. "" } } client [root@centos1 ~] curl -I http://172.28.24.10 curl: (52) Empty reply from server [root@centos1 ~] /var/log/ltm [root@ve11c:Active:Sync Failed] config tail -f /var/log/ltm Mar 8 16:55:22 ve11c err tmm[15262]: 01220001:3: TCL error: /Common/qux - no serverside connection established (line 1) invoked from within "TCP::server_port"- G_romano_187703Thanks you very much nitass! Giorgio
- abi1980_184094for 443 should i be doing SSL offloading on the cleint and server aswell or only client side offloading would work
- nitass
At this link (https://devcentral.f5.com/wiki/iRules.TCP__server_port.ashx) the event CLIENT_ACCEPTED is a valid event!
Where do I wrong?i understand serverside connection is not established when CILENT_ACCPETED is triggered, so TCP::server_port won't be available at that time.
e.g.
configuration [root@ve11c:Active:Sync Failed] config tmsh list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 7 } [root@ve11c:Active:Sync Failed] config tmsh list ltm rule qux ltm rule qux { when CLIENT_ACCEPTED { log local0. "[TCP::server_port]" } when SERVER_CONNECTED { log local0. "" } } client [root@centos1 ~] curl -I http://172.28.24.10 curl: (52) Empty reply from server [root@centos1 ~] /var/log/ltm [root@ve11c:Active:Sync Failed] config tail -f /var/log/ltm Mar 8 16:55:22 ve11c err tmm[15262]: 01220001:3: TCL error: /Common/qux - no serverside connection established (line 1) invoked from within "TCP::server_port"- G_romano_187703Thanks you very much nitass! Giorgio
- abi1980_184094for 443 should i be doing SSL offloading on the cleint and server aswell or only client side offloading would work
- nitass
for 443 should i be doing SSL offloading on the cleint and server aswell or only client side offloading would work
there are number of scenarios. you just make sure serverside on primary vs matches clientside on secondary vs.
e.g.
client <---> (clientssl) primary vs (serverssl) <---> (clientssl) secondary vs (serverssl) <---> https server
client <---> (clientssl) primary vs <---> secondary vs (serverssl) <---> https server
client <---> (clientssl) primary vs <---> secondary vs <---> http server
- abi1980_184094thanks Nitass Here i understand we have 2 VS associated with 443 servers In our scenario we are planning to have a VIP with a wildcard entry for all the pools pool 443 poo 5222 poo 5223
- nitassoops sorry i was confused with another thread. please ignore my comment above.
- abi1980_184094no issues . So again does it require ssloffloading on both side cleint and server for my scnarioor only client side is enough
- nitass_89166
for 443 should i be doing SSL offloading on the cleint and server aswell or only client side offloading would work
there are number of scenarios. you just make sure serverside on primary vs matches clientside on secondary vs.
e.g.
client <---> (clientssl) primary vs (serverssl) <---> (clientssl) secondary vs (serverssl) <---> https server
client <---> (clientssl) primary vs <---> secondary vs (serverssl) <---> https server
client <---> (clientssl) primary vs <---> secondary vs <---> http server
- abi1980_184094thanks Nitass Here i understand we have 2 VS associated with 443 servers In our scenario we are planning to have a VIP with a wildcard entry for all the pools pool 443 poo 5222 poo 5223
- nitass_89166oops sorry i was confused with another thread. please ignore my comment above.
- abi1980_184094no issues . So again does it require ssloffloading on both side cleint and server for my scnarioor only client side is enough
- nitass_89166
So again does it require ssloffloading on both side cleint and server for my scnarioor only client side is enough
if you want to send traffic to pool based on destination port, ssl offloading is not needed (i.e. no ssl offloading. virtual server is tcp standard virtual server or performance layer 4 virtual server type).
- abi1980_184094Thanks Nitass In my scenario we are planning to have a WILDCARD VIP for laodbalacning services 443 , 5222 & 5223 so if i create a simple TCP profile and use this Irule mentioed above would it work
