Forum Discussion

jwah24_138500's avatar
jwah24_138500
Icon for Nimbostratus rankNimbostratus
Apr 08, 2014

Multiple Service Ports on a Single VS

Hey guys,

I've seen a few articles on this already, but am really new to the F5's and am looking for additional clarification. We looking at load balancing an application that uses the following ports:

1001010012 1001310014 1001510016 1001810019 1002010021 1002410025 1002610027 1012910130 1013210133 1013610137 10141

I want to spin each of these separate services up on a single VS so I can use a single IP (separate Pools for each service). I know I can use the following (below this paragraph), but I'd like to find a way to create some type of list that can be checked instead of checking these for every connection such as if { [class match [TCP::local_port] equals service-port-range] } I'm not sure how using the service-port-range list works in the F5's or where I would specify the actual list.

when CLIENT_ACCEPTED { 

  Check if requested port is outside our App's Port ranges
 if {  [TCP::client_port] not 10010 or [TCP::client_port] not 10012 or [TCP::client_port] not 10013 or [TCP::client_port] not 10014 or [TCP::client_port] not 10015 or [TCP::client_port] not 10016 or [TCP::client_port] not 10018 or [TCP::client_port] not 10019 or [TCP::client_port] not 10020 or [TCP::client_port] not 10021 or [TCP::client_port] not 10024 or [TCP::client_port] not 10025 or [TCP::client_port] not 10026 or [TCP::client_port] not 10027 or [TCP::client_port] not 10129 or [TCP::client_port] not 10130 or [TCP::client_port]  not 10132 or [TCP::client_port] not 10133 or [TCP::client_port] not 10136 or [TCP::client_port] not 10137 or [TCP::client_port] not 10141}{  

     Drop request  
    drop  
 }

Thanks for all the help guys!

application delivery
deployment
design
devops
iRules
LTM
  • Cory_50405's avatar
    Cory_50405
    Apr 08, 2014

    You would create 'service-port-range' as a string type data group under Local Traffic -> iRules -> Data Group List. Populate the data group with your port objects.

    Then use the iRule to reference it and reject anything not in the list:

    when CLIENT_ACCEPTED {
 if { ! [class match [TCP::local_port] equals service-port-range] } {
    reject
    }
}
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 08, 2014

    You would create 'service-port-range' as a string type data group under Local Traffic -> iRules -> Data Group List. Populate the data group with your port objects.

    Then use the iRule to reference it and reject anything not in the list:

    when CLIENT_ACCEPTED {
 if { ! [class match [TCP::local_port] equals service-port-range] } {
    reject
    }
}
    • jwah24_138500's avatar
      jwah24_138500
      Icon for Nimbostratus rankNimbostratus
      Apr 09, 2014
      Thank you so much! I had seen references to the iRule, but had no idea about the data group list. This is working perfectly now!
  • Desai_124243's avatar
    Desai_124243
    Icon for Nimbostratus rankNimbostratus
    Oct 20, 2015

    Hi,

     

    I wanna allow only 4 TCP/UDP ports from single virtual. Is below IRULE configuration right?

     

    rule allowing_tcp_udp_traffic_rl { when CLIENT_ACCEPTED { Check if requested port is allowing only TCP 443, TCP 80, UDP 4500 and UDP 500 if { ( [TCP::client_port] != 443 or [TCP::client_port] != 80 or [UDP::client_port] != 500 or [TCP::client_port] != 4500 ) } { Drop request drop } }

     

    }

     

    Thanks

     

  • Amanpreet_Singh's avatar
    Amanpreet_Singh
    Icon for Cirrostratus rankCirrostratus
    Oct 21, 2015

    Hi Desai, Yes, this iRule looks fine. But always prefer to test such irules in non-prod first ;-)