For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

lboogie25_20449's avatar
lboogie25_20449
Icon for Nimbostratus rankNimbostratus
Feb 17, 2016

VIP with multiple pools and TCP ports

Hello, all. I'm hoping to configure a single VIP to serve multiple pools. I'm using data groups to separate the port objects (not sure if I did that right). Here is my config, with the data groups fi...
application delivery
iRules
LTM
VernonWells's avatar
VernonWells
Icon for Employee rankEmployee
Feb 17, 2016

The use of an iRule will be non-trivially slower than using separate Virtual Servers. Incidentally, if the pools all contain the same set of nodes and differ only by listening port, you could define a single Virtual Server and single pool, where all members (and the VS) use the wildcard port, and disable port translation.

Having said that, the use of a data-group will be faster than a 

switch
. I'm assuming that there is a single VS IP address, but multiple pools. In that case, the best structure for the data-group is:

 create ltm data-group internal dg-port-match type string records add \
    { 901 { data pool_901 } \
      902 { data pool_902 } \
      903 { data pool_903 } \
      ... }

In other words, the key is the VS port and the value is the pool. Then, the iRule is:

when CLIENT_ACCEPTED {
    set p [class lookup [TCP::local_port] dg-port-match]
    
    if { $p ne "" } {
        pool $p
    }
    else {
        log local0.warn "Invalid port connect attempt; port = ([TCP::local_port])"
        reject
    }
}

Strictly speaking, if no default pool is associated with the VS and it is of Standard or FastL4 type, the reject is implicit, so you can skip that if you don't wish to log (and, of course, it makes more sense to use High-Speed Logging rather than local logging for production).