Forum Discussion

Employee

Feb 09, 2021

Use LTM Policies to Create a VIP listening on Specific Ports

All, we are moving from A10 to F5 LTM. With A10 we have 1 VIP, and up to 4 "service-groups" or pools serving 4 specific ports. My goal is to provide a similar functionality in the LTM using Local Traffic Policy-not iRules [solely]. I understand, with LTM it's common or 'best' to have multiple VIPs; one for each service. However, our fear it that this will become a challenge to manage.

In testing the policies, I find that it works partially, so long as the VIP's IP matches one of the ports on the data-group configured in the policy. The question is, "How should the VIP be configured, along with a policy, which states it should listen on multiple ports?"

Facepalm

JRahm

Feb 10, 2021

#facepalm...notice the hidden option on the tcp port:

mine was remote by default, changing to local fixed the issue. Working policy that should help:

ltm policy allports_testpolicy {
    controls { forwarding }
    last-modified 2021-02-10:16:42:35
    requires { tcp }
    rules {
        tcp-80 {
            actions {
                0 {
                    forward
                    client-accepted
                    select
                    pool nerdlife_pool
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    values { 80 }
                }
            }
        }
        tcp-8080 {
            actions {
                0 {
                    forward
                    client-accepted
                    select
                    pool nerdlife_pool
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    values { 8080 }
                }
            }
            ordinal 1
        }
        tcp-all-else {
            actions {
                0 {
                    shutdown
                    client-accepted
                    connection
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    not
                    values { 80 8080 }
                }
            }
            ordinal 2
        }
    }
    status published
    strategy first-match
}

Subrun
Cirrostratus
Mar 07, 2021
@Jason Rahm

I have the same requirement to implement. Request will come to 5 different and need to forward the traffic to same port by pool members.

@Jason , wondering if LTM Policy you shared is working ? Will be much appreciated if you can help.

According to last comment , did you mean intended purpose is tested with iRule but not working by a LTM Policy ? If this is right can you explain couple of query from your provided iRule ?

when CLIENT_ACCEPTED {
switch [TCP::local_port] {
80 - >>>>> What is means - , purpose of it
8080 { pool nerdlife_pool } >>>>> What is means - , purpose of it
default { reject } >>>> Whats the reason Reject was set ?
}
}

Is that possible to provide a sample iRule like for 3 ports ?
Simon_Blakely
Employee
Mar 07, 2021
From a management point of view, I personally think creating multiple Virtual Servers on separate ports is an easier and more understandable solution.

If you do want to create a single Virtual Server that listens on multiple ports, you can use a Traffic Matching Criteria on the virtual:

ltm traffic matching criteria

You have to create and assign the traffic-matching-criteria from the CLI, but you can use address lists and port lists, and can configure Source Address lists and destination address lists/destination port lists.
- Subrun
  Cirrostratus
  Mar 13, 2021
  I agree Simon...Client does not want to use multiple virtual server instead want to use One VIP.