Create functional wildcard port VIP?

fsweetserfsweetser Member
in System
I'm trying to set up a virtual server such that, when it receives traffic for a port on the VIP that does not match any other VIP, it a) processes the traffic, and b) preserves the original client destination port when relaying the request to the backend servers. It looks like I want a wildcard VIP, but I couldn't get anything working from the very minimal docs. Does anyone have an example of what I'm trying to do they'd be willing to share?

Comments

  • UnknownUnknown
    edited February 2014
    hello here is an example configuration below, A Wildcard VIP is used to load balance proxy servers. You can use an ACL to block any unwanted traffic from the wildcard VIP.

    !
    access-list 101 deny ip any 170.235.0.0 0.0.255.255
    access-list 101 deny ip any 10.0.0.0 0.0.0.127
    access-list 101 deny ip 10.32.35.240 0.0.0.7 any
    access-list 101 permit icmp any any
    access-list 101 permit tcp any any eq 80
    access-list 101 permit tcp any any eq 443
    !
    !
    slb server Proxy-0 10.0.0.100
    port 80 tcp
    port 443 tcp
    !
    slb server Proxy-1 10.0.0.101
    port 80 tcp
    port 443 tcp
    !
    !
    slb service-group Proxy80 tcp
    method least-connection
    member Proxy-0:80
    member Proxy-1:80
    !
    slb service-group Proxy443 tcp
    method least-connection
    member Proxy-0:443
    member Proxy-7:443
    !
    !
    slb template tcp TCP_Idle
    idle-timeout 300
    reset-fwd
    reset-rev
    !
    slb template persist source-ip SIP-Persist1
    match-type server
    !
    !
    slb virtual-server VIP-Proxy 0.0.0.0 acl 101
    ha-group 1
    port 80 tcp
    name _wildcard_v4_101_TCP_80
    service-group Proxy80
    use-rcv-hop-for-resp
    use-default-if-no-server
    template tcp TCP_Idle
    template persist source-ip SIP-Persist1
    port 443 tcp
    name _wildcard_v4_101_TCP_443
    service-group Proxy443
    use-rcv-hop-for-resp
    use-default-if-no-server
    template tcp TCP_Idle
    template persist source-ip SIP-Persist1
    !
    !
  • fsweetserfsweetser Member
    edited February 2014
    Thanks, but that doesn't quite look like what I'm going for. That looks like it's handling specific ports on a wildcard IP, while what I want is the inverse - I want a specific IP address to handle any tcp port, and pass it to the selected backend server unmodified.
  • UnknownUnknown
    edited February 2014
    Hello on that case you can use the following example Port 0 or others can be defined.

    slb virtual-server VIP-Proxy 10.10.10.1
    ha-group 1
    port 0 tcp
  • [Deleted User][Deleted User]
    edited February 2014
    Something like this would work. This will do destination NAT to the server, but will not change the destination tcp or udp port. If you require only tcp you can remove the udp and others configuration. Others will load balance all protocols other than tcp and udp. If you have ICMP health checks disabled you may have to add a health check to each server.

    !
    slb server s1 10.2.1.10
    port 0 tcp
    no health-check
    port 0 udp
    no health-check
    !
    slb server s2 10.2.1.11.11
    port 0 tcp
    no health-check
    port 0 udp
    no health-check
    !
    slb service-group _tcp_0_sg tcp
    member s1:0
    member s2:0
    !
    slb service-group _udp_0_sg udp
    member s1:0
    member s2:0
    !
    slb virtual-server All_Ports_vs 10.1.1.10
    port 0 tcp
    name _10.1.1.10_TCP_0
    service-group tcp_0_sg
    port 0 others
    name _10.1.1.10_Others_0
    service-group tcp_0_sg
    port 0 udp
    name _10.1.1.10_UDP_0
    service-group udp_0_sg
    !
  • [Deleted User][Deleted User]
    edited February 2014
    Fsweetser,

    Try searching for Outbound Link Load Balancing in the documentation. :-) There is a pretty good example. I have to build this up for a customer today and will post an example later.

    Best regards,

    ToddH
  • [Deleted User][Deleted User]
    edited February 2014
    The example config above is perfect, but you need to add the "no-dest-nat" to the VIP ports.

    -ToddH-
  • fsweetserfsweetser Member
    edited February 2014
    Thanks, that gets me 98% of the way there! The last missing bit now, though, is that port 0 only seems to work when configured as TCP, but I need mine as HTTPS, since I have to do cookie persistence and an aFlex URL rewrite. Is there some other trick required to get it working as an HTTPS port?
  • [Deleted User][Deleted User]
    edited February 2014
    Fsweetser,

    SSL termination is not possible with a wildcard VIP using no-dest-nat. You may be able to use a VIP with a subnet range and IP-Header insert (x-forwarded-for). I would recommend contacting your SE and working out a solution that meets your needs. There are plenty of options available. :-)

    Best regards,

    -ToddH-
  • fsweetserfsweetser Member
    edited February 2014
    I don't think it's the no-dest-nat, as I actually had a mostly working config with port 0 and without no-dest-nat. I'm in a one-armed config, so I do actually need NAT enabled. It looks like it's the port 0 that's conflicting for me. I'll follow up with my SE now that I have a better idea of what I'm looking for. Thanks!
Sign In or Register to comment.

© Copyright 2024 - A10 Networks Community - All Rights Reserved. | Legal