Forum Discussion

Racquel_Mays's avatar
Racquel_Mays
Icon for Employee rankEmployee
Feb 09, 2021

Use LTM Policies to Create a VIP listening on Specific Ports

All, we are moving from A10 to F5 LTM. With A10 we have 1 VIP, and up to 4 "service-groups" or pools serving 4 specific ports. My goal is to provide a similar functionality in the LTM using Local Traffic Policy-not iRules [solely]. I understand, with LTM it's common or 'best' to have multiple VIPs; one for each service. However, our fear it that this will become a challenge to manage.

 

In testing the policies, I find that it works partially, so long as the VIP's IP matches one of the ports on the data-group configured in the policy. The question is, "How should the VIP be configured, along with a policy, which states it should listen on multiple ports?"

  • #facepalm...notice the hidden option on the tcp port:

    mine was remote by default, changing to local fixed the issue. Working policy that should help:

    ltm policy allports_testpolicy {
        controls { forwarding }
        last-modified 2021-02-10:16:42:35
        requires { tcp }
        rules {
            tcp-80 {
                actions {
                    0 {
                        forward
                        client-accepted
                        select
                        pool nerdlife_pool
                    }
                }
                conditions {
                    0 {
                        tcp
                        client-accepted
                        port
                        local
                        values { 80 }
                    }
                }
            }
            tcp-8080 {
                actions {
                    0 {
                        forward
                        client-accepted
                        select
                        pool nerdlife_pool
                    }
                }
                conditions {
                    0 {
                        tcp
                        client-accepted
                        port
                        local
                        values { 8080 }
                    }
                }
                ordinal 1
            }
            tcp-all-else {
                actions {
                    0 {
                        shutdown
                        client-accepted
                        connection
                    }
                }
                conditions {
                    0 {
                        tcp
                        client-accepted
                        port
                        local
                        not
                        values { 80 8080 }
                    }
                }
                ordinal 2
            }
        }
        status published
        strategy first-match
    }

22 Replies

  • Subrun's avatar
    Subrun
    Icon for Cirrostratus rankCirrostratus

    @Jason Rahm

     

    I have the same requirement to implement. Request will come to 5 different and need to forward the traffic to same port by pool members.

     

    @Jason , wondering if LTM Policy you shared is working ? Will be much appreciated if you can help.

     

    According to last comment , did you mean intended purpose is tested with iRule but not working by a LTM Policy ? If this is right can you explain couple of query from your provided iRule ?

     

    1. when CLIENT_ACCEPTED {
    2. switch [TCP::local_port] {
    3. 80 - >>>>> What is means - , purpose of it
    4. 8080 { pool nerdlife_pool } >>>>> What is means - , purpose of it
    5. default { reject } >>>> Whats the reason Reject was set ?
    6. }
    7. }

     

    Is that possible to provide a sample iRule like for 3 ports ?

  • From a management point of view, I personally think creating multiple Virtual Servers on separate ports is an easier and more understandable solution.

     

    If you do want to create a single Virtual Server that listens on multiple ports, you can use a Traffic Matching Criteria on the virtual:

     

    ltm traffic matching criteria

     

    You have to create and assign the traffic-matching-criteria from the CLI, but you can use address lists and port lists, and can configure Source Address lists and destination address lists/destination port lists.

    • Subrun's avatar
      Subrun
      Icon for Cirrostratus rankCirrostratus

      I agree Simon...Client does not want to use multiple virtual server instead want to use One VIP.