For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Racquel_Mays's avatar
Racquel_Mays
Icon for Employee rankEmployee
Feb 09, 2021
Solved

Use LTM Policies to Create a VIP listening on Specific Ports

All, we are moving from A10 to F5 LTM. With A10 we have 1 VIP, and up to 4 "service-groups" or pools serving 4 specific ports. My goal is to provide a similar functionality in the LTM using Local Traffic Policy-not iRules [solely]. I understand, with LTM it's common or 'best' to have multiple VIPs; one for each service. However, our fear it that this will become a challenge to manage.

 

In testing the policies, I find that it works partially, so long as the VIP's IP matches one of the ports on the data-group configured in the policy. The question is, "How should the VIP be configured, along with a policy, which states it should listen on multiple ports?"

Facepalm
  • JRahm's avatar
    JRahm
    Feb 10, 2021

    #facepalm...notice the hidden option on the tcp port:

    mine was remote by default, changing to local fixed the issue. Working policy that should help:

    ltm policy allports_testpolicy {
    controls { forwarding }
    last-modified 2021-02-10:16:42:35
    requires { tcp }
    rules {
        tcp-80 {
            actions {
                0 {
                    forward
                    client-accepted
                    select
                    pool nerdlife_pool
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    values { 80 }
                }
            }
        }
        tcp-8080 {
            actions {
                0 {
                    forward
                    client-accepted
                    select
                    pool nerdlife_pool
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    values { 8080 }
                }
            }
            ordinal 1
        }
        tcp-all-else {
            actions {
                0 {
                    shutdown
                    client-accepted
                    connection
                }
            }
            conditions {
                0 {
                    tcp
                    client-accepted
                    port
                    local
                    not
                    values { 80 8080 }
                }
            }
            ordinal 2
        }
    }
    status published
    strategy first-match
}

22 Replies

Show More
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Feb 09, 2021

    There are several ways to satisfy your requirements. I will skip all the "iRule ways", since they are not interesting for you.

    As  stated, you VS should listen on port 0. The LTM Traffic Policy should have default rule, like a firewall, at the end. To reject all traffic that wont match rules above.

     

    0691T00000BV5SVQA1.png

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Feb 09, 2021

    If you need the virtual server to listen on more than one port, the port should be configured as 0. If you are asking something else, please provide more details and I'll do my best to point you in the right direction.