For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ted_Brown_18184's avatar
Ted_Brown_18184
Icon for Nimbostratus rankNimbostratus
Sep 30, 2015

VS Matching Algorithm

I have a question about the VS matching algorithm. I have found a couple of references to the matching order for host and network based VSs, but nothing definitive covering two host based entries.

 

Assume I have the following VSs:

 

10.10.10.10:80 10.10.10.10:443 10.10.10.10:8080 10.10.10.10:*

 

In this case, since the wildcard VS also matches against traffic on ports 80, 443, & 8080, will it be used for that traffic, or since the other three VSs are more specific from a match perspective, will traffic to ports 80, 443, and 8080 match those specific VSs?

 

The traffic to the specifically defined VSs needs to be destined to different pools and undergo different treatment.

 

Here is a reference to the article I found on host/network VS matching algorithm.

 

https://devcentral.f5.com/questions/host-and-network-destination-address-difference

 

application delivery
deployment
design
LTM

2 Replies

  • Ed_Summers's avatar
    Ed_Summers
    Icon for Nimbostratus rankNimbostratus
    Sep 30, 2015

    As you noted, the OOP matches on exact/longest match first for the destination. If traffic arrives for destination 10.10.10.10 on either ports 80, 443, or 8080, the traffic will be directed to the respective VS. Only if traffic arrives for a port other than 80, 443, or 8080 will the last VS you listed (10.10.10.10:*) be used.

     

    See SOL14800 for more details. It goes further by including the 'Source' address (which was added in ver 11.3.0). The SOL contains some examples that may be helpful, but holler back if any other questions!