For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sero_83363's avatar
Sero_83363
Icon for Nimbostratus rankNimbostratus
Feb 14, 2013

Virtual Server configuration

 

Hi - I could use some advice on best practice.

 

For a virtual server that must listen on 2 ports for client

 

traffic. e.g. 8080 and 80 with each port serving the same data. Should I just select the "All

 

ports" option in the VS configuration or have 2 seperate virtual servers? All the

 

connection details will be the same and they will use the

 

same pool.

 

Also, What if I also need to have the same VS IP address supporting

 

SMB connections?

 

If I set as follows will this work?

 

Name IP Service

 

VS-SMB 10.0.0.1 445

 

VS-Web 10.0.0.1 All Ports

 

 

Or would it be better to have

 

Name IP Service

 

VS-SMB 10.0.0.1 445

 

VS-Web 10.0.0.1 80

 

VS-Webp 10.0.0.1 8080

 

 

Any thoughts\help much appreciated.

 

 

Thanks,

 

 

Sero

 

basic
getting started
new to f5

4 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Feb 14, 2013
    If your happy to apply an iRule (dropping non80/8080 traffic) to the All Ports VS the I'd go for option 1, two VSs. I wouldn't be happy with that option if you left the VS open to non port 80 and 8080 traffic (even if it isn't served). The admin saving with only having one HTTP VS outweighs managing a single simple iRule. The iRule would look like this (not sure if this needs the string command adding); 

    
when CLIENT_ACCEPTED {
 if { (([TCP::local_port] == “80”) or ([TCP::local_port] == “8080”)) ] } {
   drop }
}
  • Kleython_Kell_5's avatar
    Kleython_Kell_5
    Icon for Nimbostratus rankNimbostratus
    Feb 14, 2013
    Beneath,

     

     

    If he use only one VS for port 80 and 8080, and dosent use a irule to drop packets to others ports. What would be the real problem ? if in this case f5 wouldnt do anything to others ports

     

     

     

    Att,

     

     

    Kleython Kell

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Feb 14, 2013
    The VS would quite happily handle HTTP traffic on any other port without the iRule. Why potentially expose the HTTP parser unnecessarily to unwanted or unauthorised traffic? You also get the choice to drop or reject the traffic on a VS specific basis and not rely on the global Unmatched Packet behavior. Personally I'd rather use a packet filter to provide even better protection resource wise but they don't seem popular (perhaps AFM will change that).
  • Eric_Radhik_123's avatar
    Eric_Radhik_123
    Icon for Nimbostratus rankNimbostratus
    Mar 01, 2013
    It would be quite simple to use your second method and just create a VS per needed port.

     

    (All VS will have the same IP)

     

    VS1 port80

     

    VS2 port 8080

     

    VS3 port 445

     

     

    Yes, it is very possible to do an "ALL Ports" but making it overly complicated is exactly that... complicated. But that is in my opinion and Im sure it works in other environments. I work in an environment where there are multiple people making adds, moves, and changes to the VS and I dont want to get those phone calls saying... "Huh?" Now, I have used the iRule method but the VS had a need for over 40+ ports to be opened and that is where I was using the iRule.