Forum Discussion

Robert_Richmond's avatar
Robert_Richmond
Icon for Nimbostratus rankNimbostratus
Aug 16, 2007

Wildcard VIP with iRule defining Port

 

Thanks for taking the time to read this.

 

 

I am trying to load balance cisco secure traffic through a vip. And here are my options:

 

 

A) Create a separate VIP with a separate pool for each port (49, 1645, 1646, 1812, and 1813)

 

B) Create a single VIP with a separate pool for each port, and use an irule to correlate the incoming port with the pool.

 

C) Create a single VIP with a single pool, using an iRule to initiate the connection to the pool member on the inbound port.

 

 

I know how to do options A and B. I am looking for examples or tips on how to write the iRule for option C...

 

 

Any suggestions, help, or tips would be greatly appreciated.

 

 

 

Thanks!

 

 

 

Rob

 

application delivery
dev
devops
iRules
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 16, 2007
    Option C doesn't need an iRule. If you set the pool members up with a wildard port as well, the ltm by default will forward the inbound port.
  • Robert_Richmond's avatar
    Robert_Richmond
    Icon for Nimbostratus rankNimbostratus
    Aug 16, 2007
    Maybe I should have clarified. I want to drop traffic not on the ports specified... security.
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 16, 2007
    Still don't need a rule if you use a packet filter, but if you want a rule, this should work for you assuming your pool members have their port set to any:

    
class myRadius_class {
  "1645"
  "1646"
  "1812"
  "1813"
}
when CLIENT_ACCEPTED {
  if { ([TCP::local_port] == 49) or [matchclass [UDP::local_port] equals $::myRadius_class ] } {
    pool myPool
  } else { discard }
}
  • Robert_Richmond's avatar
    Robert_Richmond
    Icon for Nimbostratus rankNimbostratus
    Aug 16, 2007
    I used data group lists instead of classes and tweaked yours to the irule below (probably unnecessary, but a good excercise for a new irule-er). When I apply the rule, the vip is looking for both tcp and udp profiles to be applied (due to the matchclass statements). Being configured as a standard vip, this is not possible. Will I need to configure this as a 'Performance (Layer 4)' type vip with '*All Protocols' selected?

     

     

     

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     

     

    When a client is accepted, if the port matches a port in the corresponding protocol data_group_list then forward to the pool. Else discard.

     

     

    when CLIENT_ACCEPTED {

     

    if { [matchclass [UDP::local_port] equals $::ciscoSecureUDP ] or [matchclass [TCP::local_port] equals $::ciscoSecureTCP ] } {

     

    pool acs.deloitte.com_Wildcard

     

    } else { discard }

     

    }

     

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     

     

     

    Thanks,

     

     

    Rob

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 17, 2007
    Yes, you'll need the performance l4 type to match both tcp & udp.